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General Information 


Record Number: 200141196 


Title: 10 RedHat Linux Systems Compromised at JPL 


Contact Name: b6,7C ž | 


Contact Center: NASIRC 


Incident System Compromise 
Category: 
Attacker: Stakkato 


Attacker Note: 


Incident Dates 


Incident Date: 11/28/2003 


Discovered 11/28/2003 
Date: 


NASIRC Notified 12/1/2003 
Date: 


Closed Date: 12/19/2003 


Dates For Other Notifications 
ITSM Date: 


US-CERT Date: 
CSO Date: 
OIG Date: 

CIO Date: 
ITSO Date: 


CCITS Date: 


PII Information 


nmm 
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Center: JPL 


Contact Phone: 
Coordinator: 


Est. Cost ($): 2400 


Hostile No 
Unknown?: 
Impact: High 


Report: 


Est. Cost 24 
(hours): 


Incident Zone: PST 


Discovered 
Zone: 


NASIRC Notified EDT 
Zone: 


Closed Zone: 


ITSM Zone: 
US-CERT Zone: 
CSO Zone: 
OIG Zone: 

CIO Zone: 
ITSO Zone: 
CCITS Zone: 


Time Limit: 30 
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PII Involved?: No 


PII Disclosed By: 


PII Data Types: 


Scope of PII 
Exposure: 


Host Information 


NASA System Information 


Admin 


Name IP Address 





SENSITIVE BUT UNCLASSIFIED 


Law 
Enforcement/ 
IG Notified?: 
os HW Sensitivit 
Manuf Manuf OS HW y 
acture acture Versio Versio Functi Descripti Securit 
(C r n n on on yPlan CVE 
Redha Linux Tool 257 
t 7.1 Builde 
r 
Redha Linux 257 
t TX 
Sun Solaris 383 
(Softw 8 
are) 
Sun Solaris 
(Softw 8 
are) 
Sun Solaris 
(Softw 2.6 
are) 
Redha Linux Works 257 
t fal tation 
Redha Linux 448 


PII Report Date: 


PII Data 
Protection: 


Number of 
Unauthorized 
People with 
Access: 


PII Report Zone: 
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Exploit system_id ? 


Linux 6302 
ptrace 


() 


kmod 


Linux 6313 


Local 6314 
Root 
Exploit 


Local 6316 
Root 
Exploit 


Linux 6317 
ptrace 


U 


kmod 


Linux 6301 
ptrace 


Linux «219 
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Info 
rma 
tion 
Cat 


N/ 


N/ 





Cat 
ego 
ry 
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Hostile Site Information 


IP Address 


Additional Information 





Notices 


ID 
2003-PLESAAA 


A-03-468 
LTOOL-ID1 15-12-2003 


Summary: 









12/01/02: GER 
are running RedHat Linux /. Attacking IP not available at this time. 


FedCIRIC #2003-PLESAAA added. (b6, 12/05/2003: Weekly update from JPL below. 12/18/2003: Update per 
, incident was reopened on their end due to more hosts being infected. 
incident closed. 





Solaris 11 Solaris 6315 N/ 
2.5 priocnt a 
10 
Local 
Root 
Solaris Local 6318 N/ 
8 Root A 
Exploit 
Linux Works Linux 6979 
TX tation ptrace 
U 
kmod 


hostile_site_id 


41509 


All of the highlighted texts will be released 


Abbreviation noticeid Date 

FedCIRC 3237 01-DEC-2003 
NASIRC 3236 01-DEC-2003 
Center 3240 05-DEC-2003 


JPL reports the System Compromise of and Both systems 
issued A-0 . M. 72003: 


/19/2003: Closed per 
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Chronology: 


















— Original Message----- From: jpl. : i jpl.nasa.gov] Sent: Monday, 
December 01, 2003 4:27 PM To: È .goV; .Jpl.nasa.gov; asa.gov; 
‚jpl.nasa.gov; q.nasa.gov; jpl.nasa.gov Subject: (NASIRC Ref: 


L Incident Initial Notification (ID 115) INITI TIFICATION Investigation 
ame:LTOOL-ID115-12-2003 Incident Date:2003-11-28, 17:45 Investigator Namo aod Notified 
By:RealSecure JPL Computer Information: HOSTNAME | IP ADDRESS | OS | FU NT CAT | 


EXPLOIT | SENS INFO | SENS INFO DESC 1. | | RedHat Linux 7.x | | SC | 
Undetermined | No | None 2. DEZE | edHat Linux 7.x | Workstation | ndetermined | No | 
None Perpetrator Computer Information: ADDRESS | CITY | STATE | COUNTRY Sensitive 


Information Involved:No Description of Sensitive Information Involved:None Additional Information:None. NASIRC 
Action: None. ******** ee ERE on FeJCIRC has received your incident report, NASIRC 
A-03-468 and will process accordingly. Your incident has been assigned FedCIRC incident # 2003-PLESAAA for 
future reference. - - The automated FedCIRC Incident Report Form is available here: 
http://www.fedeirc.gov/reportform.html - - Additional information regarding FedCIRC and incident reporting/handling is 
available at the FedCIRC website (http://www.fedcirc.gov). Thank you, FedCIRC Operations Phone: 
Fax: 703-326-9461 email: fedcirc@fedcirc.gov ******** sees ee eee eee AERA Original Message----- 
From: (cc CE Sent: Friday, December 05, 2003 2:36 PM To: 
q.nasa.gov Cc: jpl.nasa.gov Subject: (NASIRC Ref: 107398094) Weekly Incident 
epo or ov03_04Dec03 * kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk NEW INCIDENTS: 1 
kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk INCIDENT INFO Incident Name ii 15-12-2003 
Discovery Date:28-NOV-03 Exploit Date:28-NOV-03 Labor Hours:n/a Labor Cost:n/a E SYSTEMS Hostile 


Name Hostile IP AFFECTED SYSTEMS Domain 

Name jpl.nasa.gov ddress ncident Category:System Compromise Exploit Used:Local 

Ptrace Root Exploit System OS:RedHat Linux 7.x Version:7.1 System Security Plan:257 Domain 

Nam asa. ov IP Address SASA "cident Category:System Compromise Exploit Used:Local 

Ptrace Root Exploit System OS:RedHat Linux /.x ersion:7.1 System Security Plan:257 

SOR RRR ooo- Original Message----- From: 
imaito I Sent: Thursday, December 18, o: 

hq.nasa.gov; jpl.nasa.gov Subject: (NASIRC Ref: 107398850) 

/A) Morning Read Boar -03- : >1 incident, 2 systems: 200141196 BEM ipl.nasa.gov 
> BB less gn This has been reopened as we found a few more hosts 

Infected - most have been cleaned up. Linux machines - ptrace and do_brk kernel exploits, along with ettercap 
sniffers kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk oum Original Message TA From: 

[mailto jpl.nasa.gov] Sent: Thursday, December 18, 2003 7:24 PM To: nasirc@nasirc.hq.nasa.gov Cc: 

security@telchar.jpl.nasa.gov Subject: (NASIRC Ref: 107399025) Weekly Incident Report for 05Dec03_17Dec03 


kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkjkkkkk kkkkkk NEW INCIDENTS: 0 

























































e: (LOW: 





Fkk kkk k kk kk kk k kk kk k kk kkk kk kk kk k kk kk kk k kkk k kk kk k kk kk k kk kk kkk OPEN INCIDENTS: 1 


kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk INCIDENT INFO Incident Name:LTOOL-ID1 15-12-2003 
Discovery Date:28-NOV-03 Exploit Date:28-NOV-03 Labor Hours:24 Labor Cost:$2400 HOSTILE SYSTEMS Hostile 
Name Hostile IP AFFECTED SYSTEMS Domain 

Name jpl.nasa.gov IP Address ncident Category:System Compromise Exploit Used:Local 
Ptrace Root Exploit System OS:RedHat Linux 7.x ersion:n/a System Security Plan:n/a Domain 

Name fr! nasa.gov IP Address SE Incident Category:System Compromise Exploit Used:Local 
Ptrace Root Exploit System OS:RedHat Linux 7.x ersion:n/a System Security Plan:448 Domain 

Name "22.00. IP Address Incident Categorv:Svstem Compromise Exploit Used:Local 
Ptrace Root Exploit System OS:RedHat Linux /.x ersion:n/a System Security Plan:257 Domain 

Name jpl.nasa.gov IP Address Incident Category:System Compromise Exploit Used:Local 
Ptrace Root Exploit System OS:RedHat Linux 7.x Version:7.1 System Security Plan:257 Domain 

E... ip! nasa.gov IP Address Incident Category:System Compromise Exploit Used:Local Root 
Exploit System OS:Sun Solaris 2.6 (5.6 ersion:n/a System Security Plan:383 Domain 

Name jpl.nasa.gov IP Address Incident Category:System Compromise Exploit Used:Local Root 
Exploit System OS:Sun Solaris 8 (2.8) ersion:n/a System Security Plan:383 Domain 

Name JPL.jpl.nasa.gov IP re lE Category:System Compromise Exploit 
Used:Solaris priocnti() Local Root System OS:Sun Solaris 2.5 (5.5) OS Version:n/a System Security Plan:11 Domain 
Name jpl.nasa.gov IP Address Incident Category:Trojan Exploit Used:Local Ptrace Root 
Exploit System OS:Sun Solaris 2.6 (5.6) ersion:n/a System Security Plan:n/a Domain 

Name BR Pi. nase.g0v IP Address SRE Incident Category:System Compromise Exploit Used:Local 
Ptrace Root Exploit System OS:RedHat Linux /.x ersion:7.1 System Security Plan:257 Domain 

Name jA 1. nasa. gov IP Address Incident Category:System Compromise Exploit Used:Local 
Root Exploit System OS:Sun Solaris 8 (2. ersion:n/a System Security Plan:n/a 


kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk CLOSED 































































INCIDENTS: 1 kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk INCIDENT INFO Incident 
Name SSE D1 15-12-2003 Discovery Date:28-NOV-03 Exploit Date:28-NOV-03 Labor Hours:24 Labor Cost:2400 
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HOSTILE SYSTEMS Hostile Name 






Name nasa.gov IP Address 
Ptrace Root Exploit System OS:RedHat Linux 


















Name jpl.nasa.gov IP Address 
Ptrace Roo! 


Name i! nasa.gov IP Address 
Exploit System OS:Sun Solaris 2.6 (5.6 
Name jpl.nasa.gov IP Address 
Exploit System OS:Sun Solaris 8 (2.8) 


jpl.nasa.gov IP Address 






Name EE P| nasa.gov IP Address 
Ptrace Root Exploit System OS:RedHat Lin 
Name jpl.nasa.gov IP Address 
Root Exploi 








xploit System OS: RedHat Linux 7.x 


JPL.jpl.nasa.gov IP Address: 
ocal Root System OS:Sun 


Exploit System OS:Sun Solaris 2.6 (5.6) T z > 



























.X 


Name "255 00 IP Address S 
Ptrace Root Exploit System OS:RedHat Linux /.x 


STERR 
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ostile P POEDER AFFECTED SYSTEMS 
Incident Category:System Compromise Exploit 


H 
Domain Name B i asa 60 Ar A 
Used:Local Ptrace Root Exploit System OS:RedHat Linux 7.x OS Version:n/a System Security Plan:n/a Domain 


Incident Category:System Compromise Exploit Used:Local 
ersion:n/a System Security Plan:448 Domain 
Incident Category:System Compromise Exploit Used:Local 
ersion:n/a System Security Plan:257 Domain 

Incident Category:System Compromise Exploit Used:Local 
Version:7.1 System Security Plan:257 Domain 

Incident Category:System Compromise Exploit Used:Local Root 
ersion:n/a System Security Plan:383 Domain 
Incident Category:System Compromise Exploit Used:Local Root 
ersion:n/a System Security Plan:383 Domain 


Rae) 


Solaris 2. 


Incident Category:System Compromise Exploit 


10/4/2021 


.5) OS Version:n/a System Security Plan:11 Domain 
Incident Category:Trojan Exploit Used:Local Ptrace Root 

ersion:n/a System Security Plan:n/a Domain 
Incident Category:System Compromise Exploit Used:Local 
ersion:7.1 System Security Plan:257 Domain 
Incident Category:System Compromise Exploit Used:Local 
ystem OS:Sun Solaris 8 (2. ersion:n/a System Security Plan:n/a 
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NASIRC Notes: 
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General Information 


Record Number: 200141220 


Title: System Compromises at JPL via Yahoo Messenger 


Contact Name: b6, 7C | 


Contact Center: NASIRC 


Incident System Compromise 
Category: 
Attacker: Stakkato/stkto 


Attacker Note: 


Incident Dates 


Incident Date: 1/5/2004 


Discovered 1/6/2004 
Date: 


NASIRC Notified 1/8/2004 
Date: 


Closed Date: 2/17/2004 


Dates For Other Notifications 
ITSM Date: 


US-CERT Date: 
CSO Date: 
OIG Date: 

CIO Date: 
ITSO Date: 


CCITS Date: 


PII Information 


nmm 


Center: JPL 


Contact Phone: 
Coordinator: 


Est. Cost ($): 2800 


Hostile No 
Unknown?: 
Impact: High 


Contact Email: Bo nasa.gov 
Source of b6, 7C 


Report: 


Est. Cost 28 
(hours): 


Incident Zone: PST 


Discovered 
Zone: 


NASIRC Notified EDT 
Zone: 


Closed Zone: 


ITSM Zone: 
US-CERT Zone: 
CSO Zone: 
OIG Zone: 

CIO Zone: 
ITSO Zone: 
CCITS Zone: 


Time Limit: 30 


Page 1 
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PII Involved?: 


No 


PII Disclosed By: 


PIL Data Types: 


Scope of PII 
Exposure: 


Host Information 


NASA System Information 


Name 





IP Address 


os HW 

Manuf Manuf OS HW 

acture acture Versio Versio Functi 
Admin r r n n on 

Micros Micros Windo Unkno Works 

oft oft ws wn tation 


2000 


Micros Micros Windo Unkno Works 
oft oft ws wn tation 
2000 


Hostile Site Information 


IP Address 


Additional 


Notices 


ID 
A-04-09 


A-04-09-A 


Information 


Abbreviation 


NASIRC 
NASIRC 


nmm 





PII Report Date: 


PII Data Unknown 
Protection: 
Number of 
Unauthorized 
People with 
Access: 
PII Report Zone: 
Law No 
Enforcement/ 
IG Notified?: 
Sen 
Sensitivit sitiv 
y e 
Descripti Securit Org. Info 
on yPlan CVE Port Code Exploit system_id ? 
Yahoo 6339 
Messe 
nger_ 
YAuto. 
dil BO 
Yahoo 6340 
Messe 
nger_ 
YAuto. 
dil BO 
hostile_site_id 
41526 
noticeid Date 
3248 08-JAN-2004 
3286 14-FEB-2004 
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Info 
rma 
tion 
Cat 


AD 


Cat 
ego 
ry 
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CTRINH-PC-ID118-01-2 Center 3247 08-JAN-2004 


Summary: 


Chronology: 


NASIRC Notes: 














02/17/2004: Closed incident per Weekly update from GG @ JPL. QR 
asa.gov] Sent: 


E IMI so (mailto: 
Thursday, January 08, 2004 3:51 PM To: jpl-ccd(ġimx.hq.nasa.gov; nasa.gov; 
nasa.gov; Lian varl nasirc@nasirc.hq.nasa.gov; security@telchar.jpl.nasa.gov 
ubject: IRC Ref: 1 ncident Initial Notification (ID_118) INITIAL INCIDENT NOTIFICATION 
Investigation Name: CTRINH-PC-ID1 18-01-2004 Incident Date:2004-01-05, 00:00 Investigator Name: 
Notified By:JPL User JPL Computer Information: HOSTNAME | IP ADDRESS | OS | FUNCTION | IN 
EXPLOIT | SENS INFO | SENS INFO DESC 1. | | MS Windows 2000 | workstation | SC | 
Yahoo! Messenger YAUTO.DLL | No | None 2. [MS Windows 2000 | workstation | 
SC | Yahoo! Messenger YAUTO.DLL | No | None Perpetrator Computer Information: HOSTNAME | IP ADDRESS | 
CITY | STATE | COUNTRY | St Louis | MD | United States Sensitive Information 
Involved:No Description of Sensitive Information Involved:None Additional Information: None. NASIRC Action:None. 


KKK KKK KKK KKK KKK KKK KK RK EKER KKK IRE KERR KER ERE kk kk k kk kkk k 


-----Original Message----- From: PEO UNE) 
[mailto jpl.nasa.gov] Sent: Friday, February 13, 2004 5:31 PM To: nasirc@nasirc.hq.nasa.gov Cc: 
security@telchar.jpl.nasa.gov Subject: (NASIRC Ref: 107404671) Weekly Incident Report for 06Feb04_12Feb04 


kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk CLOSED INCIDENTS: 3 
kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk INCIDENT INFO Incident Name:CTRINH-PC-ID1 18-01-2004 
Discovery Date:06-JAN-04 Exploit Date:05-JAN-04 Labor Hours:28 Labor Cost:2800 HOSTILE SYSTEMS Hostile 


Nam Hostile |P A Ec TED SYSTEMS Domain Name jpl.nasa.gov IP 
Address Incident Category:System Compromise Exploit Used:Yahoo! Messenger 
OS:MS Windows OS Version:w2k System Security Plan:n/a Domain Name: 


O.DLL System 
Address Incident Category:System Compromise Exploit Used:Yahoo! Messenger YAUTO.DLL 
Svstem OS: indows 2000 OS Version:2k System Security Plan:n/a ------------------- 


.jpl.nasa.gov IP 
INCIDENT INFO Incident Name -ID120-01-2004 Discovery Date:10-JAN-04 Exploit Date:07-JAN-04 Labor 


Hours:92 Labor Cost:9200 HOS STEMS Hostile Name Hostile RE 
AFFECTED SVSTEMS Domain Name: jpl.nasa.gov | ress: Incident Categorv:Svstem 
Compromise Exploit Used:Local Root Exploit System OS:RedHat Linux 7.x ersion:- Svstem Securitv Plan:123 
Domain Name jA insa. 90 IP Address SINNI Incident Category:System Compromise Exploit 
Used:Local Root Exploit System OS:RedHat Linux 7.x ersion:- System Security Plan:257 Domain 

Name jpl.nasa.gov IP Address EI Incident Category:System Compromise Exploit Used:Local 
Root Exploit System OS:Sun Solaris 9 ersion:- System Security Plan:370 Domain Name: jpl.nasa.gov IP 
Address 


Incident Category:Unauthorized Access Exploit Used:User Account System OS:Sun Solaris 
2.6 (5.6) ersion:- System Security Plan:257 Domain Name: jpl.nasa.gov IP Address: 



























































































Incident Category:System Compromise Exploit Used:Local Root Exploit System OS:Sun Solaris ersion:- 
System Security Plan:370 Domain Name: jpl.nasa.gov IP Address: Incident 
Categorv:Unauthorized Access Exploit Used:User Account Svstem OS:HP- X .X OS Version:- System 


Security Plan:257 Domain Name jpl.nasa.gov IP Address SEE Incident Category:System 
Compromise Exploit Used:Local Root Exploit System OS:Sun Solaris ersion:- System Security Plan:370 
Domain Name M asa. gov IP Address: Incident Categorv:Unauthorized Access Exploit 
Used:User Account Svstem OS:RedHat Linux 7.x ersion:- System Security Plan:257 Domain 

Name jpl.nasa.gov IP Address 


REN Incident Category:System Compromise Exploit Used:Local 
Root Exploit System OS:Sun Solaris ersion:- System Security Plan:11 
S INCIDENT INFO Incident Name RSI 25-02-2004 Discovery 
Date: 10-FEB-04 Exploit Date:07-FEB-04 Labor Hours:8 Labor Cost:800 HOS S Hostile 


Name Hostile IP Hostile Name Hostile 
IP CTED SY omain Name: Jpl.nasa.gov ress 
Incident Category:System Compromise Exploit Used:Sadmind System OS:Sun Solaris 8 (2.8) OS Version:n/a System 


Security Plan:503 ------------------ 













nmm Page 3 10/4/2021 


KEY Archer eGRC 


200141221 





General Information 


Record Number: 200141221 


Title: System Compromises at JPL via Local Root Exploit 


Contact Name: b6, TC | 


Contact Center: NASIRC 


Incident System Compromise 
Category: 
Attacker: Stakkato 


Attacker Note: 


Incident Dates 
Incident Date: 1/7/2004 


Discovered 1/10/2004 
Date: 


NASIRC Notified 1/12/2004 
Date: 


Closed Date: 2/17/2004 


Dates For Other Notifications 
ITSM Date: 


US-CERT Date: 
CSO Date: 
OIG Date: 

CIO Date: 
ITSO Date: 


CCITS Date: 


PII Information 


nmm 


Center: JPL 


Contact Phone: 


Coordinator: b6, 7C | 


Est. Cost ($): 4600 


Hostile No 
Unknown?: 
Impact: High 


Contact Email: Bo nasa.gov 
Source of BOMEN 


Report: 


Est. Cost 46 
(hours): 


Incident Zone: 


Discovered 
Zone: 


NASIRC Notified EDT 
Zone: 


Closed Zone: 


ITSM Zone: 
US-CERT Zone: 
CSO Zone: 
OIG Zone: 

CIO Zone: 
ITSO Zone: 
CCITS Zone: 


Time Limit: 30 


Page 1 
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PII Involved?: 


PII Disclosed By: 


PII Data Types: 


Scope of PII 
Exposure: 


Host Information 


NASA System Information 


Name IP Address 














Hostile Site Information 


os 


HW 


Manuf Manuf OS 
acture acture Versio Versio Functi 


r 


r 


n 


HW 


n 


Sun Solaris 
(Softw 9 
are) 
Sun Solaris 
(Softw 9 
are) 
Sun Solaris 
(Softw 9 
are) 
Redha Linux 
t T.N 
Redha Linux 
t Tx 
Sun Solaris 
(Softw 9 
are) 

SENSHIVE BUTUNCLASSIFIED 


on 


Works 
tation 


Works 
tation 





PII Report Date: 


PII Data 


Protection: 


Number of 
Unauthorized 
People with 
Access: 


PII Report Zone: 


Law 


No 


Enforcement/ 
IG Notified?: 


Sensitivit 
y 
Descripti 
on 


Page 2 


Securit 
yPlan CVE Port 


370 


370 


370 


257 


123 


11 


Unknown 


Exploit system_id 


Local 6344 
Root 
Exploit 


Local 6346 
Root 
Exploit 


Local 6342 
Root 
Exploit 


Local 6341 
Root 
Exploit 


Local 6978 
Root 
Exploit 


Local 6996 
Root 
Exploit 


Info 
Sen rma 
sitiv tion 
e Cat Cat 
Info ego ego 
? ry ry 


N/ 
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IP Address 


Additional Information 


Notices 


ID 
A-04-12 


DCS18-ID120-01-2004 


hostile_site_id 


41905 
Abbreviation noticeid Date 
NASIRC 3252 12-JAN-2004 
Center 3251 12-JAN-2004 





summary: 02/17/2004: Incident closed per weekly report ‘rom SE at JPL. 02/17/2004: Per BERT 
divided the cost in 1/2 for 200141221 & 200141224. s database reflects this as 1 incident, for reporting purposes 

NASIRC seperated the system compromises & unauthorized accesses into 2 incidents. Total cost is $9200 each 

incident now reflects a cost of $4600. 
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Chronology: 


NASIRC Notes: 


Original Message----- From: [mailto Sent: Monday, 


January 12, 2004 10:58 AM To: [S 
fel (cs ean a nasirc@nasirc.hq.nasa.gov; security@telchar.jpl.nasa.gov Subject: (NASIRC Ref: 
107400877) JPL Incident Initial Notification (ID_120) INITIAL INCIDENT NOTIFICATION Investigation 


Name:DCS18-ID120-01-2004 Incident Date:2004-01-07, 09:00 Investigator Name: Notified By:JPL 
User JPL Computer Information: HOSTNAME | IP ADDRESS | OS | FUNCTION | EXPLOIT | SENS 


INFO | SENS INFO DESC 1. | | RedHat Linux 7.x | workstation | SC | Local Root Exploit | No 
| None 2. COMMANDER | edHat Linux 7.x | Workstation | SC | Local Root Exploit | No | None 3. 
| Sun Solaris 2.6 (5.6) | Cassini DSA Development | SC | Local Root Exploit | No | None 4. 


| 
Bere | Sun Solaris 2.6 (5.6) | n/a | UA | User Account | No | None 5. | | 
utonet 4. assini Instruments Operations | SC | Local Root Exploit | No | None 6. | | 

HP-UX 9.x & 10.x |n/a | UA | User Account | No | None 7. | | Autonet 4. assini Mission 
Planning | SC | Local Root Exploit | No | None 8. utonet 4.2 | Linux Workstation | UA | 
User Account | No | None Perpetrator Computer Information: | IP ADDRESS | CITY | STATE | 
COUNTRY 1. VIZ.COLORADO.EDU | ERE | Boulder | CO | United States Sensitive Information 
Involved:No Description of Sensitive Information Involved:None Additional Information:None. NASIRC Action:None. 


































kkk KKK kkk KKK kkk kk kkk kkk BK EKER KK KER EEK KERR KERR 2 272 2 2022 22 SOGNO Original Message----- From: Ome) 
nao a l Sent: Friday, February 13, 2004 5:31 PM To: nasirc@nasirc.hq.nasa.gov Cc: 
security@telchar.jpl.nasa.gov Subject: (NASIRC Ref: 107404671) Weekly Incident Report for 06Feb04_12Feb04 
kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk CLOSED INCIDENTS: 3 
kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk INCIDENT INFO Incident Nam PC-ID1 18-01-2004 
Discovery Date:06-JAN-04 Exploit Date:05-JAN-04 Labor Hours:28 Labor Cost:2800 SYSTEMS Hostile 
Name Hostile i AFFECTED SYSTEMS Domain Name: -PC.jpl.nasa.gov IP 
Address Incident Category:System Compromise Exploit Used:Yahoo! Messenger YAUTO.DLL System 
OS:MS Windows OS Version:w2k System Security Plan:n/a Domain Nam .jpl.nasa.gov IP 
Address ANI Incident Category:System Compromise Exploit Used:Yahoo! Messenger YAUTO.DLL 
System OS: indows 2000 OS Version:2k System Security Plan:n/a ----------------------------------------------------------- 





















INCIDENT INFO Incident Nam ID120-01-2004 Discovery Date:10-JAN-04 Exploit Date:07-JAN-04 Labor 


Hours:92 Labor Cost:9200 A ona 1120 Hostile Name:VIZ.COLORADO.EDU Hostile T 
ategory:System 


AFFECTED SYSTEMS Domain Name: jpl.nasa.gov IP Address NI Incident 

Compromise Exploit Used:Local Root Exploit System OS:RedHat Linux 7.x ersion:- Svstem Securitv Plan:123 
Domain Name Ries 001 IP Address NIGI Incident Categorv:Svstem Compromise Exploit 
Used:Local Root Exploit Svstem OS:RedHat Linux 7.x ersion:- Svstem Securitv Plan:257 Domain 


Name SR ipi. nasa.gov IP Address cc" Category:System Compromise Exploit Used:Local 
Root Exploit System OS:Sun Solaris 9 ersion:- System Security Plan:370 Domain Name: pl.nasa.gov IP 


Address Incident Categorv:Unauthorized Access Exploit Used:User Account Svstem OS:Sun Solaris 
2.6 (5.6) ersion:- System Security Plan:257 Domain Name: pl.nasa.gov IP Address: 
Incident Category:System Compromise Exploit Used:Local Root Exploit System OS:Sun Solaris ersion:- 


System Security Plan:370 Domain Name: BE Pesa g: IP Address: Incident 
Category:Unauthorized Access Exploit Used:User Account System OS:HP- X .X OS Version:- System 


Securitv Plan:257 Domain Nam jpl.nasa.gov IP Address RISANARE "cident Category:System 
Compromise Exploit Used:Local Root Exploit System OS:Sun Solaris ersion:- System Security Plan:370 
Domain Name jpl.nasa.gov IP Address: Incident Categorv:Unauthorized Access Exploit 
Used:User Account Svstem OS:RedHat Linux 7.x ersion:- Svstem Securitv Plan:257 Domain 


Nam jpl.nasa.gov IP Address NINNI Incident Category:System Compromise Exploit Used:Local 
Root Exploit Svstem OS:Sun Solaris ersion:- System Security Plan:11 
AN INCIDENT INFO Incident Name SRS 25-02-2004 Discovery 
Date: 10-FEB-04 Exploit Date:07-FEB-04 Labor Hours:8 Labor Cost:800 HOS S Hostile 


Name T Hostile IP Hostile Name Hostile 
I ECTED SY omain Name: pl.nasa.gov ress 
Incident Category:System Compromise Exploit Used:Sadmind System OS:Sun Solaris 8 (2.8) OS Version:n/a System 


Security Plan:503 ----------------------------------------------------------= 
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200141224 





General Information 


Record Number: 200141224 


Title: Unauthorized Access at JPL via user account 


Contact Name: (b) (6), (b) (7)(0) 


Contact Center: NASIRC 


Incident Unauthorized Access 
Categorv: 
Attacker: Stakkato 


Attacker Note: 


Incident Dates 
Incident Date: 1/7/2004 


Discovered 1/10/2004 
Date: 


NASIRC Notified 1/14/2004 
Date: 


Closed Date: 2/17/2004 


Dates For Other Notifications 
ITSM Date: 


US-CERT Date: 
CSO Date: 
OIG Date: 

CIO Date: 
ITSO Date: 


CCITS Date: 


PII Information 


SENSITIVE BUT UNCLASSIFIED 


Center: 


Contact Phone: 
Coordinator: 


Est. Cost ($): 


Hostile 
Unknown?: 


Impact: 


Contact Email: EEE 


Source of 
Report: 


Est. Cost 
(hours): 


Incident Zone: 


Discovered 
Zone: 


JPL 


4600 


High 


b6, 70 
46 


NASIRC Notified EDT 


Zone: 


Closed Zone: 


ITSM Zone: 
US-CERT Zone: 
CSO Zone: 
OIG Zone: 

CIO Zone: 
ITSO Zone: 
CCITS Zone: 


Time Limit: 
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PII Involved?: No PII Report Date: 
PII Disclosed By: PII Data Unknown 
Protection: 


PII Data Types: 


Scope of PII Number of 

Exposure: Unauthorized 
People with 
Access: 


PII Report Zone: 





Law No 
Enforcement/ 
IG Notified?: 
Host Information 
NASA System Information 
Info 
Sen rma 
os HW Sensitivit sitiv tion 
Manuf Manuf OS HW y e Cat Cat 
acture acture Versio Versio Functi Descripti Securit Org. Info ego ego 
Name IP Address Admin r r n n on on yPlan CVE Port Code Exploit system_id ? ry ry 
Redha Linux 257 ACCOU 6347 
t 7.X nt- 
User 
Hewlet HP-U 257 Accou 6345 
Packa x nt - 
rd User 
Sun Solaris 257 Accou 6343 N/ 
(Softw 2.6 nt - A 
are) User 
Hostile Site Information 
IP Address hostile_site_id 
EEE 41906 
Additional Information 
Notices 
ID Abbreviation noticeid Date 
A-04-12 NASIRC 3254 12-JAN-2004 
DCS18-ID120-01-2004 Center 3253 12-JAN-2004 
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Summary: 


Chronology: 


NASIRC Notes: 









02/17/2004: Incident closed per weekly update provided my BEZ) @ JPL. 
"I divided the cost in 1/2 for 200141221 & 200141224. 


02/17/2004: Per 
s database reflects this as 1 incident; 
reporting purposes NASIRC seperated the system compromises & unauthorized accesses into 2 incidents. Total cost 
is $9200 each incident now reflects a cost of $4600. (MN 















----- Original Message----- From: 
January 12, 2004 10:58 AM To: 
v; nasirc@nasirc.hq.nasa.gov; security Jpl.nasa.gov Subject: ef: 
ncident Initial Notification (ID_120) INITIAL INCIDENT NOTIFICATION Investigation 
Name -ID 120-01-2004 Incident Date:2004-01-07, 09:00 Investigator Name: Notified By:JPL 
User J omputer Information: HOSTNAME | IP ADDRESS | OS | FUNCTION | EXPLOIT | SENS 
INFO | SENS INFO DESC 1. | | RedHat Linux 7.x | workstation | SC | Local Root Exploit | No 
| None 2. | edHat Linux 7.x | Workstation | SC | Local Root Exploit | No | None 3. 

| | Sun Solaris 2.6 (5.6) | Cassini DSA Development | SC | Local Root Exploit | No | None 4. 


| Sun Solaris 2.6 (5.6) | n/a | UA | User Account | No | None 5. | | 
utonet 4. assini Instruments Operations | SC | Local Root Exploit | No | None 6. | | 
HP-UX 9.x & 10.x | n/a | UA | User Account | No | None 7. | | Autonet 4. assini Mission 
Planning | SC | Local Root Exploit | No | None 8. pa | utonet 4.2 | Linux Workstation | UA | 
User Account | No | None Perpetrator Computer Information: | IP ADDRESS | CITY | STATE | 
COUNTRY Ro te) (VE | | Boulder | CO | United States Sensitive Information 
Involved:No Description of Sensitive Information Involved:None Additional Information:None. NASIRC Action:None. 


kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk ini . 
-----Original Message----- From: 


[ito NA Sent: Friday, February 13, 2004 5:31 PM To: nasirc@nasirc.hq.nasa.gov Cc: 
security@telchar.jpl.nasa.gov Subject: (NASIRC Ref: 107404671) Weekly Incident Report for 06Feb04_12Feb04 
kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk CLOSED INCIDENTS: 3 
kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk INCIDENT INFO Incident Name URN "CD 18-01-2004 
Discovery Date:06-JAN-04 Exploit Date:05-JAN-04 Labor Hours:28 Labor Cost:2800 SYSTEMS Hostile 
Name Hostile Gane) AFFECTED SYSTEMS Domain Nam ee ea” 
Address Incident Category:System Compromise Exploit Used:Yahoo! Messenger : ystem 
OS:MS Windows OS Version:w2k System Security Plan:n/a Domain Nam .nasa.gov IP 
Adres iia Incident Category:System Compromise Exploit Used:Yahoo! Messenger YAUTO.DLL 
System OS: indows 2000 OS Version:2k System Security Plan:n/a ----------------------------------------------------------- 
INCIDENT INFO Incident Name:DCS18-ID120-01-2004 Discovery Date: 10-JAN-04 Exploit Date:07-JAN-04 Labor 
Hours:92 Labor Cost:9200 HOSTILE SYSTEMS Hostile Name:VIZ.COLORADO.EDU Hostile IP: 
AFFECTED SYSTEMS Domain Nam IP Address Incident Category:System 


Compromise Exploit Used:Local Root a SES S Linux 7.x ersion:- System Security Plan:123 
Domain Name EE 22.00. IP Address SIRIA Incident Category:System Compromise Exploit 
Used:Local Root Exploit System OS:RedHat Linux 7.x ersion:- System Security Plan:257 Domain 

Name nasa.gov IP Address SRO cident Category:System Compromise Exploit Used:Local 
Root Exploit System OS:Sun Solaris 9 ersion:- System Security Plan:370 Domain Nam nasa.gov IP 
Address RIA Incident Category:Unauthorized Access Exploit Used:User Account System OS:Sun Solaris 
2.6 (5.6) ersion:- System Security Plan:257 Domain Name "=: 00. IP Address 

Incident Category:System Compromise Exploit Used:Local Root Exploit System OS:Sun Solaris ersion:- 
System Security Plan:370 Domain Name EEE 22.90. IP Address Incident 
Category:Unauthorized Access Exploit Used:User Account System OS:HP- x .X OS Version:- System 


Security Plan:257 Domain Name "252.50" IP Baie... Incident Category:System 

Compromise Exploit Used:Local Root Exploit System OS:Sun Solaris ersion:- System Security Plan:370 
Domain Nam nasa.gov IP Address: Incident Category:Unauthorized Access Exploit 
ystem OS:RedHat Linux 7.x ersion:- System Security Plan:257 Domain 


Used:User Accoun 
Eae... "22.90. IP Address Incident Category:System Compromise Exploit Used:Local 
Root Exploit System OS:Sun Solaris ersion:- System Security Plan:11 


—_—__————__—_______ INCIDENT INFO Incident Name RE Discovery 
Date:10-FEB-04 Exploit Date:07-FEB-04 Labor Hours:8 Labor Cost:800 HOS ostile 


Name Hostile IP Hostile Name Hostile 
I CTED SY omain Nam .masa.gov ress 
Incident Categorv:Svstem Compromise Exploit Used:Sadmind Svstem OS:Sun Solaris 8 (2.8) OS Version:n/a Svstem 


Security Plan:503 ----------------------------------------------------------= 


Sent: Mondav, 
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General Information 


Record Number: 200141238 
Title: System compromises at JPL (16) 


Contact Name: bp. TC | 


Contact Center: NASIRC 


Incident System Compromise 
Category: 
Attacker: Stakkato 


Attacker Note: 


Incident Dates 


Incident Date: 2/11/2004 
Discovered 2/11/2004 
Date: 


NASIRC Notified 2/12/2004 


Date: 
Closed Date: 3/22/2004 


Dates For Other Notifications 
ITSM Date: 


US-CERT Date: 
CSO Date: 
OIG Date: 

CIO Date: 
ITSO Date: 


CCITS Date: 


PII Information 


nmm 


200141238 


Center: 


Contact Phone: 
Coordinator: 


Est. Cost ($): 


Hostile 
Unknown?: 


Impact: 
Contact Email: 


Source of 
Report: 


Est. Cost 
(hours): 


Incident Zone: 


Discovered 
Zone: 





JPL 


10275 


No 


High 


102.75 


NASIRC Notified EDT 


Zone: 


Closed Zone: 


ITSM Zone: 
US-CERT Zone: 
CSO Zone: 
OIG Zone: 

CIO Zone: 
ITSO Zone: 
CCITS Zone: 


Time Limit: 
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PII Involved?: 





No 


PII Disclosed By: 


PII Data Types: 


Scope of PII 
Exposure: 


Host Information 


NASA System Information 


os HW 


Manuf Manuf OS HW 





acture acture Versio Versio Functi 
Name IP Address Admin r r n n on 

Sun Solaris 

(Softw 2.6 

are) 

Sun Solaris 

(Softw 8 

are) 

Sun Solaris 

(Softw 7 

are) 

Sun Solaris 

(Softw 7 

are) 

Sun Solaris 

(Softw 7 

are) 

Redha Linux 

SENSITIVE BUT UNCLASSIFIED. 





PII Report Date: 


PII Data Unknown 
Protection: 
Number of 
Unauthorized 
People with 
Access: 
PII Report Zone: 
Law No 
Enforcement/ 
IG Notified?: 
Info 
Sen rma 
Sensitivit sitiv tion 
y e Cat 
Descripti Securit Org. Info ego 
on yPlan CVE Port Code Exploit system_id ? ry 
370 Solaris 7023 
priocnt 
10 
Local 
Root 
Local 7224 N/ 
Root A 
Exploit 
370 7011 
149 Passw 7012 
ord - 
Compr 
omise 
d 
370 Solaris 7013 
priocnt 
1() 
Local 
Root 
Undet 7n14 
Page 2 10/4/2021 
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Redha Linux 149 Passw 7015 
t 7.x ord - 
Compr 
omise 
d 
nn Hewet = HP.U 257 ma 
Packa X ermine 
rd d 
SGI IRIX 149 Passw 7017 
6.5 ord - 
Compr 
omise 
d 
mE Sun Solaris 370 Solaris 7018 
(Softw 2.6 priocnt 
are) 10 
Local 
Root 
Sun Solaris 100 Undet 7019 
(Softw 8 ermine 
are) d 
Sun Solaris 370 Solaris 7021 
(Softw 7 priocnt 
are) 10 
Local 
Root 
Sun Solaris 370 Solaris 7022 
(Softw 2.6 priocnt 
are) 10 
Local 
Root 
Sun Solaris 100 Undet 7020 
(Softw 8 ermine 
are) d 
Sun Solaris 257 SolSa 6990 
(Softw 8 dmind 
are) Amslv 
erifyB 
0 
E Sun Solaris SolSa 6991 
(Softw 8 dmind 
arn\ Amelie 
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Hostile Site Information 
IP Address hostile_site_id 
41910 


Additional Information 


Notices 


ID Abbreviation noticeid Date 

A-04-44 NASIRC 3274 12-FEB-2004 

A-04-44-A NASIRC 3275 23-FEB-2004 
3265 12-FEB-2004 


SSD-ID127-02-2004 Center 


02/23/2004: 13 additional systems added per weekly incident report for 13Feb04-19Feb04 provided by RINO 
03/15/2004: Incident closed per weekly report provided N 03/22/2004: Cost & labor 
or and cost to this incident "System 


were provided as 137 hours and $13,700 total cost. | put 3/4 of the lab 
Compromise" the other 1/4 $3,425.00 to incident 200141246 "Unauthorized access at JPL". 






Summary: 


10/4/2021 
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Chronology: 










Sent: Wednesday, 

February 11, 2004 7:40 PM To 
nasirc@nasirc. 

ncident Initial Notification (ID 





q.nasa.gov; security@telchar.jpl.nasa.gov Subject: 
_127) INITIAL INCIDENT NOTIFICATION Investigation 
Name:SSD-ID127-02-2004 Incident Date:2004-02-11, 04:30 Investigator Name: Notified 
By:RealSecure JPL Computer Information: HOSTNAME | IP ADDRESS | OS | DENT CAT | 
EXPLOIT | SENS INFO | SENS INFO DESC 1. SSD | | Sun Solaris 8 (2.8) | Horizons Server | SC | 
Sadmind | No | None 2. TOMTOM | un Solaris .8) | server | SC | Sadmind | No | None 
Perpetrator Computer Information: ADDRESS | CITY | STATE | COUNTRY 1. 
CELICA.CALTECH.EDU | 131.215.159.69 | Pasadena | CA | United States Sensitive Information Involved:No 
Description of Sensitive Information Involved:None Additional Information:None. NASIRC Action:None. 


kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk ini . 
Original Message----- From: 


[mailto Sent: Friday, February 20, 2004 4:59 PM To: nasirc@nasirc.hq.nasa.gov Cc: 
security@telchar.jpl.nasa.gov Subject: (NASIRC Ref: 107405286) Weekly Incident Report for 13Feb04_19Feb04 
INCIDENT INFO Incident Name:SSD-ID127-02-2004 Discovery Date:11-FEB-04 Exploit Date: 11-FEB-04 Labor 


Hours:n/a Labor Cost:n/a HOSTILE SYSTEMS Hostile Name: U Hostile IP S 
AFFECTED SYSTEMS Domain Name: pl.nasa.gov ress Incident 
Category:Unauthorized Access Exploit Used:User Account System OS:SGI DX ersion:- System Security 





































Plan:0 Domain Nere ici Nase gov IP re Category:System Compromise Exploit 
Used:Solaris priocnti() Local Root System OS:Sun Solaris 2.6 (5. Version:- System Security Plan:370 Domain 
"a pi nasa gov IP Addres Incident Category:System Compromise Exploit Used:Solaris 
priocn ocal Root System OS:Sun Solaris 2.6 (5.6) OS Version:- System Security Plan:370 Domain 

Nam pi nasa.gov IP er. NÉS Category:System Compromise Exploit Used:Solaris 
priocn ocal Root System OS:Sun Solaris : Version:- System Security Plan:370 Domain 













































Name IN rasa ov IP Address Incident Categorv:Svstem Compromise Exploit 
Used:Undetermined Svstem OS:Sun Solaris : ersion:- System Security Plan:100 Domain 

Name jpl.nasa.gov IP Addres Incident Category:System Compromise Exploit 
Used:Undetermined System OS:Sun Solaris : ersion:- System Security Plan:100 Domain 

Name jpl.nasa.gov IP Address Incident Category:System Compromise Exploit Used:Solaris 
priocn ocal Root System OS:Sun Solaris 2.6 (5. S Version:- System Security Plan:370 Domain 


Name iE "252.50 IP Address Incident Category:System Compromise Exploit Used:Root 
account cracked System OS:SGI IRIX 6.5.x ersion:- System Security Plan:149 Domain 

Name jpl.nasa.gov IP Address Incident Category:System Compromise Exploit 
Used:Undetermined System OS:HP-UX 9.x .X OS Version:- System Security Plan:257 Domain 


Name EEE | nasa.gov IP Address ER Incident Category:System Compromise Exploit 
Used:Root account cracked System OS:RedHat Linux 7.x ersion:- System Security Plan :149 Domain 

Name EE pl nasa.gov IP Address EE Incident Category:System Compromise Exploit 
Used:Undetermined System OS:RedHat Linux 9.x ersion:- System Security Plan:n/a Domain 

Name BERE ip) nasa.gov IP Address KI Incident Category:System Compromise Exploit Used:Solaris 
priocn ocal Root System OS:Sun Solaris ; Version:- System Security Plan:370 Domain 

Name jpl.nasa.gov IP Address KI Incident Category:System Compromise Exploit Used:Root 
account cracked System OS:Sun Solaris : ersion:- System Security Plan:149 Domain 

Name jpl.nasa.gov IP Address Incident Categorv:Svstem Compromise Exploit Used:Sadmind 
Svstem OS:Sun Solaris 8 (2.8) OS Version:- Svstem Securitv Plan:257 Domain Name 


AM "22.0. IP 
Address IRA Incident Category:System Compromise Exploit Used:Sadmind System OS:Sun Solaris 8 
(2.8) OS Version:- System Security Plan:n/a Domain Name jpl.nasa.gov IP Address ER 1. 
Category:System Compromise Exploit Used:Solaris priocnti() Local Root System OS:Sun Solaris à ersion:- 
System Security Plan:370 kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk oum Original Message----- From: Bere 
BE (mail BEE Sent: Friday, March 12, 2004 5:13 PM To: nee MENT v Cc: 
security@telchar.jpl.nasa.gov Subject: SIRC Ref: 107408126) Weekly Incident Report for 05Mar04_11Mar04 


KKK KKK e He ke e e e ke ke e ke He ke KAA HH HH TH HEHE HH k kk kkk kk NEW INCIDENTS: 0 





















KKK KKK KKK KKK KKK EKER HH HH HH HEHE HH HH k kk kkk kk OPEN INCIDENTS: 0 


kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk CLOSED INCIDENTS: 4 
kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk INCIDENT INFO Incident Name:SSD-1D127-02-2004 Discovery 
Date:11-FEB-04 Exploit Date:11-FEB-04 Labor Hours:n/a Labor Cost: HOSTILE SYSTEMS Hostile 


Name Hostile AFFECTED SYSTEMS Domain 
Name Jpl.nasa.gov IP Addres Incident Categorv: Unauthorized Access Exploit 
Used:User Account System OS:SGI IRIX 6.5.x ersion:- System Security Plan:0 Domain 


Name jpl.nasa.gov IP Addres Incident Category:System Compromise Exploit Used:Solaris 
priocn ocal Root System OS:Sun Solaris 2. i 
128.149.147.39 Incident Category:System Compromise Exploit Used:Solaris 
priocn ocal Root Svstem :Sun Solaris 2.6 (5.6) OS Version:- Svstem Securitv Plan:370 Domain 

Name BB ip!.nasa.gov IP Address DOME Incident Category:System Compromise Exploit Used:Solaris 
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priocntl() Local Root System OS:Sun Solaris 7 (2.7) OS Version:- System Security Plan:370 Domain 

Name jpl.nasa.gov IP Address Incident Category:System Compromise Exploit 
Used:Undetermined System OS:Sun Solaris : ersion:- System Security Plan:100 Domain 

Name REE rasa ov IP Agde o Incident Category:Unauthorized Access Exploit Used:User 
Account System OS:Sun Solaris 8 (2.8) OS Version:- System Security Plan:0 Domain Name: jpl.nasa.gov 
IP ‘ccc ea Incident Category:System Compromise Exploit Used:Undetermined System OS:Sun 


Solaris 8 (2. ersion:- System Security Plan:100 Domain Name jpl.nasa.gov IP ies MARA 
Incident Category:System Compromise Exploit Used:Solaris priocntl() Local Root System OS:Sun Sol aris 2. A 
Incident 


OS Ver sion:- Svstem Securitv Plan:370 Domain Name III 252.007 IP Address 

Category:System Compromise Exploit Used:Local Root Exploit System OS:Sun Solaris 8 (2. ersion:- System 
Security Plan:274 Domain Name SEE 01 nasa.gov IP Address EE Incident Category:System 
Compromise Exploit Used:Root account cracked System OS:SGI IRIX 6.5.x ersion:- System Security Plan:149 
Domain Name jpl.nasa.gov IP Address Incident Category:System Compromise Exploit 
Used:Undetermined System OS:HP-UX 9.x & 10.x ersion:- System Security Plan:257 Domain 


ay... rasa. ov IP Address ER Incident Category:System Compromise Exploit 
Used:Root account cracked System OS:RedHat Linux 7.x ersion:- System Security Plan:149 Domain 

Name BRR ip n2sa.cov IP Address ia Incident Category:System Compromise Exploit 
Used:Undetermined System OS:RedHat Linux 9.x ersion:- System Security Plan:0 Domain 

Name BERE p. nasa gov IP Address: Incident Category:System Compromise Exploit Used:Solaris 
priocntl() Local Root System OS:Sun Solaris . Version:- System Security Plan:370 Domain 

Name jpl.nasa.gov IP Address Incident Category:System Compromise Exploit Used:Root 
account cracked System OS:Sun Solaris : ersion:- System Security Plan:149 Domain 

Name jpl.nasa.gov IP Address SE Incident Category:System Compromise Exploit Used:Sadmind 
System OS:Sun Solaris 8 (2.8) OS Version:- System Security Plan:257 Domain Name: jpl.nasa.gov IP 
Address Incident Category:System Compromise Exploit Used:Sadmind System OS:Sun Solaris 8 
(2.8) OS Version:- Svstem Securitv Plan:0 Domain Name: jpl.nasa.gov IP Address NI, cident 
Categorv:Svstem Compromise Exploit Used:Solaris priocn ocal Root Svstem OS:Sun Solaris | Version:- 
System Security Plan:370 kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk l Original Message la 


[mailto Sent: Monday, March 22, 2004 5:14 PM To: ern Subject C 
eekly Incident Report for 12Mar04_19 Mar04 Hi BB Update to close out JPL incident. 


























































































Ref: 10 
SSD-ID127-02-2004 Labor Hours:137 Labor Cost:$13,70008 —— 
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200141242 





General Information 


Record Number: 200141242 


Center: JPL 


Title: Unauthorized Access to MM ;jpi.nasa.gov OWEN) via user account 


Contact Name: b6,7C | 


Contact Center: NASIRC 


Incident Unauthorized Access 
Category: 
Attacker: Stakkato 


Attacker Note: 


Incident Dates 
Incident Date: 2/17/2004 


Discovered 2/19/2004 
Date: 


NASIRC Notified 2/19/2004 
Date: 


Closed Date: 3/15/2004 


Dates For Other Notifications 
ITSM Date: 


US-CERT Date: 
CSO Date: 
OIG Date: 

CIO Date: 
ITSO Date: 


CCITS Date: 


PII Information 


SENSIFIMEBUTUNGLASSIFIED. 


Contact Phone: 


Coordinator: b6,7C | 


Est. Cost ($): 300 


Hostile No 
Unknown?: 
Impact: High 


Contact Email: DOC nasa.gov 
Source of BEE 


Report: 


Est. Cost 3 
(hours): 


Incident Zone: 


Discovered 
Zone: 


NASIRC Notified EDT 
Zone: 


Closed Zone: 


ITSM Zone: 
US-CERT Zone: 
CSO Zone: 
OIG Zone: 

CIO Zone: 
ITSO Zone: 
CCITS Zone: 


Time Limit: 30 
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PII Involved?: No PII Report Date: 
PII Disclosed By: PII Data Unknown 
Protection: 
PII Data Types: 
Scope of PII Number of 
Exposure: Unauthorized 
People with 
Access: 
PII Report Zone: 
Law No 
Enforcement/ 
IG Notified?: 
Host Information 
NASA System Information 
OS HW Sensitivit 
Manuf Manuf OS HW y 
acture acture Versio Versio Functi Descripti Securit 
Name IP Address Admin r r n n on on yPlan CVE Port 
Sun Solaris 153 
(Softw 9 
are) 
Hostile Site Information 
IP Address hostile_site_id 
41552 
41553 
Additional Information 
Notices 
ID Abbreviation noticeid 
A-04-50 NASIRC 3283 
Center 3267 


Summary: 


Page 2 


03/15/2004: Closed incident per weekly report provided by bB, 7C | (b) | 





Info 
Sen rma 
sitiv tion 
e Cat Cat 
Org. Info ego ego 
Code Exploit system_id ? ry IV 
ACCOU 7007 N/ 
nt- A 
User 
Date 
19-FEB-2004 
19-FEB-2004 
10/4/2021 
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Chronology: 


NASIRC Notes: 












jpl.nasa.gov; 
jpl.nasa.gov; nasirc@nasirc.hq.nasa.gov; security@telchar.jpl.nasa.gov 
Incident Initial Notification (ID_128) INITIAL INCIDENT NOTIFICATION Investigation 
Incident Date:2004-02-17, 14:25 Investigator Name Notified By:External 
omputer Information: HOSTNAME | IP ADDRESS | OS | FUNCTION | | T | EXPLOIT | SENS 
INFO | SENS INFO DESC 1. | | Sun Solaris 9 | Portal | UA | User Account | No | None 
Perpetrator Computer Information: HO ADDRESS | CITY | STATE | COUNTRY "DER | 
BR | Cambridge | MA | United States 2. (0) (ICE), (b) (6) 'BBEREN | Cambridge | nited States 
ensitive Information Involved:No Description of Sensitive Information Involved:None Additional Information:None. 
NASIRC Action:None. kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk Li Original Message----- From: K 
[mailto jpl.nasa.gov] Sent: Friday, March 12, 2004 5:13 PM To: nasirc@nasirc.hq.nasa.gov Cc: 
Jpl.nasa.gov Subject: (NASIRC Ref: 107408126) Weekly Incident Report for 05Mar04_11Mar04 
kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk NEW INCIDENTS: 0 


KKK He ke ke e He ke e e e ke KKK He ke e He HH eke ke ke KAA e ke HH deke RE kk kk k kk kkk kk OPEN INCIDENTS: 0 


kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk CLOSED INCIDENTS: 4 
kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk INCIDENT INFO Incident Name EEO Ea 
Discovery Date:19-FEB-04 Exploit Date:17-FEB-04 Labor Hours:3 Labor Cost:300 H ostile 
Name FOREN Hostile IP Hostile Nam Hostile EEE AFFECTED 
SYST omain Name Address ncident Category:Unauthorized Access 


Exploit Used:User Account System OS:Sun Solaris 9 OS Version:n/a System Security Plan:153 
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General Information 


Record Number: 200141246 
Title: Unauthorized Access at JPL 


Contact Name: (b) (6), (b) (7)(0) 


Contact Center: NASIRC 


Incident Unauthorized Access 
Categorv: 
Attacker: Stakkato 


Attacker Note: 


Incident Dates 


Incident Date: 2/11/2004 
Discovered 2/11/2004 
Date: 


NASIRC Notified 2/23/2004 


Date: 
Closed Date: 3/22/2004 


Dates For Other Notifications 
ITSM Date: 


US-CERT Date: 
CSO Date: 
OIG Date: 

CIO Date: 
ITSO Date: 


CCITS Date: 


PII Information 


SENSIFIMEBUTUNGLASSIFIED. 


200141246 


Center: 


Contact Phone: 
Coordinator: 


Est. Cost ($): 


Hostile 
Unknown?: 


Impact: 
Contact Email: 


Source of 
Report: 


Est. Cost 
(hours): 


Incident Zone: 


Discovered 
Zone: 


JPL 


3425 


No 


High 


34.25 


NASIRC Notified EDT 


Zone: 


Closed Zone: 


ITSM Zone: 
US-CERT Zone: 
CSO Zone: 
OIG Zone: 

CIO Zone: 
ITSO Zone: 
CCITS Zone: 


Time Limit: 


Page 1 


30 
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PII Involved?: No PII Report Date: 
PII Disclosed By: PII Data Unknown 
Protection: 


PII Data Types: 


Scope of PII Number of 

Exposure: Unauthorized 
People with 
Access: 


PII Report Zone: 








Law No 
Enforcement/ 
IG Notified?: 
Host Information 
NASA System Information 
Info 
Sen rma 
Os HW Sensitivit sitiv tion 
Manuf Manuf OS HW y e Cat Cat 
acture acture Versio Versio Functi Descripti Securit Org. Info ego ego 
Name IP Address Admin r r n n on on yPlan CVE Port Code Exploit system_id ? ry ry 
Sun Solaris Accou 7225 N/ 
(Softw 8 nt- ì 
are) User 
SGI IRIX Accou 7010 
6.5 nt - 
User 
Hostile Site Information 
IP Address hostile_site_id 
(0)(6) b) e na 
Additional Information 
Notices 
ID Abbreviation noticeid Date 
A-04-44-A NASIRC 3282 23-FEB-2004 
ssd-id127-02-2004 Center 3268 11-FEB-2004 
Summary: 02/23/2004: Incident added per weekly incident report for 13Feb04-19Feb04 provided by RARA BE 
ost & labor were provided 


03/15/2004: Closed incident per weekly report provided by Ba al 03/22/2004: 
as 137 hours and $13,700 total cost. | put 1/4 of the labor and cost to this incident "Unauthorized Access" the other 


3/4 $10,750.00 to incident 200141238 "System Compromise". MM 
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Chronology: 










— Original Message----- From: SIS S daw, e nese 005) Sent: Friday, February 20, 
2004 4:59 PM To: nasirc@nasirc.hq.nasa.gov Cc: security@telchar.jpl.nasa.gov Subject: (NASIRC Ref: 107405286) 
Weekly Incident Report for 13Feb04_19Feb04 INCIDENT INFO Incident Name:SSD-ID127-02-2004 Discovery 
Date:11-FEB-04 Exploit Date:11-FEB-04 Labor Hours:n/a Labor Cost:n/a HOSTILE SYSTEMS Hostile 
Name:CELICA.CALTECH.EDU Hostile IP AFFECTED SYSTEMS Domain 

Name EEE o nasa.gov IP Address Incident Category:Unauthorized Access Exploit 
Used:User Account System OS:SGI IRIX 6.5.x ersion:- System Security Plan:0 Domain 

Name jpl.nasa.gov IP Address Incident Category:System Compromise Exploit Used:Solaris 
priocn ocal Root System OS:Sun Solaris 2.6 (5.6) OS Version:- System Security Plan:370 Domain 

Name jpl.nasa.gov IP Address Incident Category:System Compromise Exploit Used:Solaris 
priocn ocal Root System OS:Sun Solaris 2.6 (5.6) OS Version:- System Security Plan:370 Domain 

Name jpl.nasa.gov IP Address Incident Category:System Compromise Exploit Used:Solaris 
priocn ocal Root System OS:Sun Solaris - Version:- System Security Plan:370 Domain 

Name BIRRA Lae IP Address! Incident Category:System Compromise Exploit 
Used:Undetermined System OS:Sun Solaris : ersion:- System Security Plan:100 Domain 






































Name REE Jp!.nasa.cov IP Address: Incident Category:System Compromise Exploit 
Used:Undetermined System OS:Sun Solaris : ersion:- System Security Plan:100 Domain 

Name BERE jp! nasa.gov IP Addres Incident Category:System Compromise Exploit Used:Solaris 
priocn ocal Root System OS:Sun Solaris 2.6 (5. S Version:- System Security Plan:370 Domain 


keal... La IP Address Incident Category:System Compromise Exploit Used:Root 
account cracked System OS:SGI IRIX 6.5.x ersion:- System Security Plan:149 Domain 

Name jpl.nasa.gov IP Address Incident Category:System Compromise Exploit 
Used:Undetermined System OS:HP-UX 9.x .X OS Version:- System Security Plan:257 Domain 


Name NRI Jol nasa.gov IP Address: Incident Category:System Compromise Exploit 
Used:Root account cracked System OS:RedHat Linux 7.x ersion:- System Security Plan:149 Domain 

Name EEE ass ao IP Address HE Incident Category:System Compromise Exploit 
Used:Undetermined System OS:RedHat Linux 9.x ersion:- System Security Plan:n/a Domain 

Name jpl.nasa.gov IP Address: Incident Categorv:Svstem Compromise Exploit Used:Solaris 
priocntl() Local Root System OS:Sun Solaris : Version:- System Security Plan:370 Domain 

Name .jpl.nasa.gov IP Address: Incident Category:System Compromise Exploit Used:Root 
account cracked System OS:Sun Solaris - ersion:- System Security Plan:149 Domain 

Name jpl.nasa.gov IP Address e Category:System Compromise Exploit Used:Sadmind 


System OS:Sun Solaris 8 (2.8) OS Version:- System Security Plan:257 Domain Name SEE a IP 
Address Incident Category:System Compromise Exploit Used:Sadmind System OS:Sun Solaris 8 


(2.8) OS Version:- System Security Plan:n/a Domain Name MN jpl.nasa.gov IP Address EE Incident 
Category:System Compromise Exploit Used:Solaris priocn RRR -Original Message----- 


ron RI Was, sa 90 Sent: Fridav, March 12, 2004 5:13 PM To: 
nasirc@nasirc.hq.nasa.gov Cc: security@telchar.jpl.nasa.gov Subject: (NASIRC Ref: 107408126) Weekly Incident 
Report for O5Maro4 1 1Mar04 kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk NEW INCIDENTS: 0 
kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk OPEN INCIDENTS: 0 
kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk CLOSED INCIDENTS: 4 
kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk INCIDENT INFO Incident Name:SSD-1D127-02-2004 Discovery 
Date:11-FEB-04 Exploit Date:11-FEB-04 Labor Hours:n/a Labor Cost: HOSTILE SYSTEMS Hostile 

Name Hostile IP AFFECTED SYSTEMS Domain 

Name Jpl.nasa.gov IP Addres Incident Categorv:Unauthorized Access Exploit 
Used:User Account System OS:SGI IRIX 6.5.x ersion:- Svstem Securitv Plan:0 Domain 

Name jpl.nasa.gov IP Addres ie Incident Category:System Compromise Exploit Used:Solaris 
priocn ocal Root System OS:Sun Solaris OS Version:- System Security Plan:370 Domain 

Name jpl.nasa.gov IP Address Incident Category:System Compromise Exploit Used:Solaris 
priocn ocal Root System OS:Sun Solaris OS Version:- System Security Plan:370 Domain 

Name jpl.nasa.gov IP Address Incident Category:System Compromise Exploit Used:Solaris 
priocn ocal Root System OS:Sun Solaris . Version:- System Security Plan:370 Domain 

Name SE 11 n2s2.00v IP Address! Incident Category:System Compromise Exploit 
Used:Undetermined System OS:Sun Solaris ; ersion:- System Security Plan:100 Domain 

Name .jpl.nasa.gov IP Address: Incident Category:Unauthorized Access Exploit Used:User 
Account System OS:Sun Solaris 8 (2.8) OS Version:- System Security Plan:0 Domain Name SRI P| nasa.gov 
IP Address re ca Incident Category:System Compromise Exploit Used:Undetermined System OS:Sun 
Solaris 8 (2. ersion:- System Security Plan:100 Domain Name pl.nasa.gov IP Ss, xe 
Incident Category:System Compromise Exploit Used:Solaris priocnti() Local Root System OS:Sun Solaris 2. f 

OS Version:- Svstem Securitv Plan:370 Domain Name AP nasa.gov IP Address: Incident 
Category:System Compromise Exploit Used:Local Root Exploit System OS:Sun Solaris 8 (2. ersion:- System 


Security Plan:274 Domain Name ipl nasa.gov IP Address EE Incident Category:System 
Compromise Exploit Used:Root account cracked System OS:SGI IRIX 6.5.x ersion:- System Security Plan:149 
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Domain Name jpl.nasa.gov IP Address Incident Category:System Compromise Exploit 
Used:Undetermined System OS:HP-UX 9.x & 10.x ersion:- System Security Plan:257 Domain 


Name AR nasa.gov IP Address: Incident Category:System Compromise Exploit 
Used:Root account cracked System OS:RedHat Linux 7.x ersion:- System Security Plan:149 Domain 

Name SEE jp1.nasa.gov IP Address: Incident Category:System Compromise Exploit 
Used:Undetermined System OS:RedHat Linux 9.x ersion:- System Security Plan:0 Domain 

Name jpl.nasa.gov IP Address: Incident Categorv:Svstem Compromise Exploit Used:Solaris 
priocn ocal Root Svstem OS:Sun Solaris : Version:- System Security Plan:370 Domain 

Name jpl.nasa.gov IP Ace Incident Category:System Compromise Exploit Used:Root 
account cracked System OS:Sun Solaris ; ersion:- System Security Plan:149 Domain 

Name jpl.nasa.gov IP Address NRE Incident Category:System Compromise Exploit Used:Sadmind 
System OS:Sun Solaris 8 (2.8) OS Version:- System Security Plan:257 Domain Name:TOMTOM.jpl.nasa.gov IP 


Address GI Incident Category:System Compromise Exploit Used:Sadmind System OS:Sun Solaris 8 
(2.8) OS Version:- System Security Plan:0 Domain Name SHE nese goy IP nacre BBB noie 
Category:System Compromise Exploit Used:Solaris priocn ocal Root System OS:Sun Solaris : Version:- 
System Security Plan:370 tl() Local Root System OS:Sun Solaris 7 (2.7) OS Version:- System Security Plan:370 
kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk oum Original Message en From: 
cl Sent: Monday, March 22, 2004 5:14 o: 

Ref:1 eekly Incident Report for 12Maro4 19 Mar04 Hi, Update to close ou 
SSD-ID127-02-2004 Labor Hours:137 Labor Cost $13,700 NN) 


























































Subject: RE: (NASIRC 
L incident. 
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General Information 


Record Number: 200141247 


Title: SADMIND compromise - 23 hosts involved 


Contact Name: bp, TC ž | 


Contact Center: LaRC 


Incident Svstem Compromise 
Categorv: 
Attacker: Stakkato 


Attacker Note: 


Incident Dates 


Incident Date: 1/25/2004 


Discovered 1/27/2004 
Date: 


NASIRC Notified 1/27/2004 
Date: 


Closed Date: 2/25/2004 


Dates For Other Notifications 


ITSM Date: 1/27/2004 
US-CERT Date: 

CSO Date: 

OIG Date: 

CIO Date: 

ITSO Date: 


CCITS Date: 


PII Information 


nmm 


Center: LaRC 


Contact Phone: 


Coordinator: b6, 7C | 


Est. Cost ($): 88500 


Hostile No 

Unknown?: 

Impact: High 

Contact Email: DOM nasa.gov 
Source of 

Report: 

Est. Cost 885 

(hours): 


Incident Zone: EST 


Discovered EST 
Zone: 


NASIRC Notified EDT 
Zone: 


Closed Zone: 


ITSM Zone: EST 
US-CERT Zone: 

CSO Zone: 

OIG Zone: 

CIO Zone: 

ITSO Zone: 

CCITS Zone: 


Time Limit: 30 


Page 1 
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PII Involved?: No PII Report Date: 
PII Disclosed By: PII Data Unknown 
Protection: 


PII Data Types: 


Scope of PII Number of 

Exposure: Unauthorized 
People with 
Access: 


PII Report Zone: 


Law No 
Enforcement/ 
IG Notified7: 

Host Information 

NASA Svstem Information 
os HW Sensitivit 
Manuf Manuf OS HW y 
acture acture Versio Versio Functi Descripti Securit Org. 

Name IP Address Admin r r n n on on yPlan CVE Port Code Exploit system_id 
Sun Sun Solaris SolSa 7043 
(Softw (Hard dmind 
are) ware) Amslv 

erifyB 
0 
Sun Sun Solaris SolSa 7044 
(Softw (Hard dmind 
are) ware) Amslv 
erifyB 
0 
Sun Sun Solaris Undet 7045 
(Softw (Hard ermine 
are) ware) d 
Sun Sun Solaris Passw 7038 
(Softw (Hard ord - 
are) ware) Compr 
omise 
d 
Sun Sun SolarisEnterp Passw 7046 
(Softw (Hard rise ord - 
are) ware) 250 Compr 
omise 
d 
Sun Sun Solaris SolSa 7m5 
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Info 
rma 
tion 
Cat 

ego 
ry 


SER 


SER 


PU 


SER 


SER 


CFR 





Cat 
ego 
ry 
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Sun Sun Solaris 

(Softw (Hard 

are) ware) 

Sun Sun Solaris 

(Softw (Hard 2.5 

are) ware) 

Sun Sun Solaris 

(Softw (Hard 

are) ware) 

Sun Sun Solaris 

(Softw (Hard 

are) ware) 

DEC DEC Other 
(Softw 
are) 

Sun Sun Solaris 

(Softw (Hard 

are) ware) 

Sun Sun Solaris 

(Softw (Hard 

are) ware) 

Sun Sun Solaris 

(Softw (Hard 

are) ware) 

Sun Sun Solaris 

(Softw (Hard 

are) ware) 

Sun Sun Solaris 


—_— 1 OEz] 
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Passw 7028 
ord - 
Compr 
omise 

d 


Undet 7033 
ermine 
d 


Undet 7035 
ermine 
d 


Passw 7042 
ord - 
Compr 
omise 

d 


Passw 7024 
ord - 
Compr 
omise 

d 


Passw 7026 
ord - 
Compr 
omise 

d 


Passw 7027 
ord - 
Compr 
omise 

d 


Passw 7029 
ord - 
Compr 
omise 

d 


SolSa 7030 
dmind 
Amslv 
erifyB 

0 


Passw 7n21 
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SER 


SER 


SER 


SER 


SER 


SER 


SER 


SER 


SER 
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Sun Sun Solaris 
(Softw (Hard 
are) ware) 
Sun Sun Solaris 
(Softw (Hard 
are) ware) 
Sun Sun Solaris 
(Softw (Hard 
are) ware) 
Sun Sun Solaris 
(Softw (Hard 
are) ware) 
Sun Sun Solaris 
(Softw (Hard 
are) ware) 
Sun Sun Solaris 
(Softw (Hard 
are) ware) 
Sun Sun Solaris 
(Softw (Hard 
are) ware) 
Hostile Site Information 
IP Address hostile_site_id 
Dame 41555 
Additional Information 
Notices 
ID Abbreviation noticeid 
No Records Found 
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Passw 7032 
ord - 
Compr 
omise 

d 


Undet 7034 
ermine 
d 


SolSa 7039 
dmind 
Amslv 
erifyB 

0 


SolSa 7041 
dmind 
Amslv 
erifyB 

0 


Passw 7040 
ord - 
Compr 
omise 

d 


Undet 7036 
ermine 
d 


SolSa 7037 
dmind 
Amsiv 
erifvB 

o 
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PU 


SER 


SER 


PU 


SER 


SER 


SER 
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Summary: 


Chronology: 


ask about 
these 
highlights 


NASIRC Notes: 


All of the affected hosts were partitioned from the network and then rebuilt from source media. All passwords of all 
hosts on the affected network segments were changed. All telnet and ssh access was temporarily suspended and 
considerable justification is being required, along with verification of the security posture of the system, before access 
is reinstated. 04/12/2004: 


On January 25th a valid Langley user account was accessed from a system at CalTec via ssh. The owner of the 
account is located at the University of Colorado. It has been determined that she used the same password on 
numerous systems. The intruder then began scanning the Langley network for systems with samba, ftp and sadmind 
vulnerabilities over the next 2 days until telnet and ssh access was blocked. By exploiting these vulnerabilities 
(primarily sadmind and samba) and through some existing trust relationships between systems, he eventually gained 
access to 22 systems. It has been determined that he gained root access on all but one of the 22 systems. As he 
gained access to a system, he frequently ftp?d to ftp.uu.net to download malware. He installed rootkits, including 
sniffers, on several of the systems. On January 25th a valid Langley user account was accessed from a system at 
CalTec via ssh. The owner of the account is located at the University of Colorado. It has been determined that she 
used the same password on numerous systems. The intruder then began scanning the Langley network for systems 
with samba, ftp and sadmind vulnerabilities. By exploiting these vulnerabilities (primarily sadmind and samba) and 
through some existing trust relationships between systems, he eventually gained access to 22 systems. It has been 
determined that he gained root access on all but one of the 22 systems. As he gained access to a system, he 
frequently ftp?d to ftp.uu.net to download malware. He installed rootkits, including sniffers, on several of the systems. 


kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk ll Original Message ea A From: (mailto BEE «sc. aco 
April 12, 2004 4:13 PM To: nasa.gov; nasirc@nasirc.hq.nasa.gov Cc: 


nasa.gov Subject: (NASIR NASA Machines At first glance, 
this does appear to be the January incident ov >X-Mailer: QUALCOMM 
Windows Eudora Version 5.2.1 >Date: Mon, 12 Apr 2004 13: 0 nasa.gov >From: 
>Subject: CIAC CASE 596 NASA Machines >Cc: ciac@ciac.org > , > >Below is the list of 
compromised machines at NASA. Please pass the JPL >list to your counterpart there. This list was obtained from an 
e-mail from >the intruder where he was bragging that he owned these machines. He has >ben targeting UNIX boxes, 
including Linux, Solaris, and AIX. > >On the Linux boxes he uses a variant of the SK rootkit. | have attached a 
>detector containing his current SK password. The detector uses his client >application to see if the back door will 
open with this password. If it >does, you know you are compromised. The hidden file suffix for this >rootkit is xrk. Any 
file that ends with those letters is hidden so a quick >local test is to use touch to create a file that ends with those 
letters >and see if it is hidden. For example, > >touch myxrk >Is > >If myxrk does not appear in the listing, you are 
compromised. >Rootkit info >Hidden file suffix: xrk >Home directory: /etc/k.xrk >Hidden copy of init /sbin/initxrk 
>Detector: ciaclogin11 > >Note that this detector will work until the intruder changes the password, >but that does not 
happen often because the password is compiled into the >rootkit. > >The script included with the detector scans the 
detector over a subnet and >interprets the results. > >For other unix systems, the intruder is using Trojaned versions 
of >OpenSSH,, in.ftpd, and ftp. All of these Trojans collect usernames and >passwords and send them to 
and to port 55 on >fooshfoosh.ath.cx which currently points to mcc.atmos.colostate.edu 
> : mixed up the machines when | talked to you on the >phone). Note that fooshfoosh is a dynamic 
DNS r name and the address it >points to has changed a few times. If you nave netflow data showing port >55 
connections to whatever address fooshfoosh is pointing to, those >machines are probably compromised. > >Let me 
know if you have any questions. > arc.nasa.gov 
.Nasa.gov i .Nasa.gov 
.masa.gov : .nasa.gov >128. 10.187 
.Nasa.gov .Nasa.gov 
.Nasa.gov .masa.gov .Nasa.gov 
.Nasa.qov .nasa.goV .nasa.gov > > 
.Nasa.gov .nasa.gov 
.nasa.gov : .Nasa.gov 
nasa.gov > > > 
g >PGP Fingerprint: 93D1 540A EC46 665D 47A4 42FC A74C 6 >Computer Incident 
Phone’ à Capability - CIAC > Lawrence Livermore National Lab > P.O. Box 808, L-303 > Livermore, CA 94551 > CIAC 




































Phone: , Fax: > E-mail: ciac@ciac.org virus samples to: virusin@ciac.org 
IM ‚CISSP Lass. gov NASA Langley 


Research Center Information Technology Security Manager Cell: b6, 
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200141262 





General Information 


Record Number: 200141262 Center: GSFC 


Title: Password file 


Contact Name: (b) (6), (b) (7)(C) Contact Phone: 
Contact Center: GSFC Coordinator: (6) (6): nie) 


Incident Unauthorized Access Est. Cost ($): 13600 

Category: 

Attacker: Stakkato Hostile No 
Unknown?: 


Attacker Note: 


Impact: High 

Source of Lead System Administrator 
Report: 

Est. Cost 136 

(hours): 


Incident Dates 





Incident Date: 3/18/2004 


Discovered 3/18/2004 
Date: 


NASIRC Notified 3/22/2004 
Date: 


Closed Date: 4/14/2004 


Dates For Other Notifications 


ITSM Date: 3/18/2004 


US-CERT Date: 


CSO Date: 3/18/2004 
OIG Date: 3/18/2004 
CIO Date: 

ITSO Date: 

CCITS Date: 


PII Information 


SENSIFIMEBUTUNGLASSIFIED. 


Page 1 


Incident Zone: GMT 


Discovered EST 
Zone: 


NASIRC Notified EDT 
Zone: 


Closed Zone: 


ITSM Zone: EST 


US-CERT Zone: 


CSO Zone: EST 
OIG Zone: GMT 
CIO Zone: 

ITSO Zone: 

CCITS Zone: 

Time Limit: 30 
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PII Involved?: No 


PII Disclosed By: 


PII Data Types: 


Scope of PII 
Exposure: 


Host Information 


NASA System Information 


os HW 


Manuf Manuf OS HW 


acture acture Versio Versio Functi 


Admin r r n n 


GI Unkno IRIX 
wn 6.5 


IP Address 


Name 


on 


Works 
tation 


Gl UnknolRIX Unkno Works 


wn wn 


tation 


Gl UnknolRIX Unkno Works 





wn wn 
Gl IRIX 
Softw 
re) 
ebia Intel Other 
IRIX 
Softw 6.5 
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tation 


Server 
: Mail 


Server 


Workg 
roup 


Server 


Descripti 


PII Report Date: 


Sensitivit 


PII Data Unknown 
Protection: 
Number of 
Unauthorized 
People with 
Access: 
PII Report Zone: 
Law No 
Enforcement/ 
IG Notified?: 
Securit Org. 
yPlan CVE Port Code 
900.3 
900.3 
900.3 
912 
931 
900.3 
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Exploit system_id ? 


Passw 7228 
ord - 
Compr 
omise 

d 


Passw 7229 
ord - 
Compr 
omise 

d 


Passw 7230 
ord - 
Compr 
omise 

d 


Accou 3131 
nt - 
User 


Accou 8182 
nt - 
User 


Accou 3133 
nt - 
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Cat 
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ry 


SER 


SER 


SER 


AD 





Cat 
ego 
ry 
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un 


re) 


Sun 


oftw (Hard 


ware) 


IRIX 


Linux 


Linux 
6.2 


SolarisSparc 


10 


Linux 


Solaris 


IRIX 


IRIX 


IRIX 


Workg 
roup 
Unkno 
wn 


Works 
tation 


Works 
tation 


Works 
tation 


Works 
tation 


Works 
tation 


Works 
tation 
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931 


916 


931 


680 


931 


931 


931 


916 


931 


931 


661 


931 


User 


Accou 
nt - 
User 


Accou 
nt - 
User 


Accou 
nt - 
Guest 


Accou 
nt - 
User 


Accou 
nt - 
User 


Accou 
nt - 
User 


Accou 
nt - 
User 


Accou 
nt - 
User 


Accou 
nt - 
User 


Accou 
nt - 
User 


Accou 
nt - 
Guest 


Accou 
nt - 
User 


8184 


8185 


8186 


8187 


8188 


8189 


8190 


8191 


8192 


8193 


8194 


8195 
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SER 


SER 


SER 


SER 


SER 


SER 


SER 


SER 


SER 


SER 


SER 


SER 
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IRIX 931 Accou 8196 SER 
nt- 
User 
Other Works 921 Accou 9197 SER 
tation nt- 
User 
IRIX Works 931 Accou 8198 SER 
tation nt- 
User 
IRIX 931 Accou g199 SER 
nt- 
User 
Sun SolarisSun 560 8200 SER 
Softw (Hard 
ware) 
931 Local g201 SER 
Root 
Exploit 
Server 926 Accou 8202 SER 
: nt- 
Workg User 
roup 
Works 912 Linux 8203 SER 
tation ptrace 
U 
kmod 
IRIX Server 975 8204 SER 
Workg 
roup 
8205 
IRIX 680 Accou 9307 SER 
nt- 





SENSITIVE BUTLUNCLASSIEIED Page 4 10/4/2021 








KEY Archer eGRC 








IRIX 680 Accou 8208 SER 
nt- 
User 
IRIX 680 Accou 9309 SER 
nt- 
User 
IRIX 680 Accou g210 SER 
nt- 
User 
Hostile Site Information 
IP Address hostile_site_id 
41570 
41571 
41572 
Additional Information 
Notices 
ID Abbreviation noticeid Date 


No Records Found 


3/22/2004: At present these systems are blocked. The CES) oc s) is comfortable with log files and 
backups that were provided t by the Code 297 IRT. Zeus, tropic and luz will be unblocked today. The lead 
system administrator will change the password on the affected user s account and review the .shost & .rhost files. 


Summary: 


3/22/2004: On 2004-03-18, a lead systems administrator reported three GSFC systems had account compromises 
deriving from a UCAR host on 2004-03-16. The user whose account had been compromised reported that the same 
account password was present on the UCAR host and the first of the three GSFC hosts. The remaining two GSFC 
hosts are believed to have been compromised via the use of .rhosts or .shosts. The initial extent of the compromise 
was greatly aided by the fact that the local organization employs a centralized logging host. 


Chronology: 


NASIRC Notes: 
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200141270 





General Information 


Record Number: 200141270 


Title: Information Compromise 


contact Name: MANARA 


Contact Center: GSFC 


Incident Information Compromise 
Category: 
Attacker: Stakkato 


Attacker Note: 


Incident Dates 
Incident Date: 3/24/2004 


Discovered 3/24/2004 
Date: 


NASIRC Notified 3/25/2004 
Date: 


Closed Date: 6/18/2004 


Dates For Other Notifications 


ITSM Date: 3/24/2004 


US-CERT Date: 


CSO Date: 3/24/2004 
OIG Date: 3/24/2004 
CIO Date: 

ITSO Date: 

CCITS Date: 


PII Information 


SENSIFIMEBUTUNGLASSIFIED. 





Center: GSFC 


Contact Phone: 


Coordinator: b6,7C 


Est. Cost ($): 4300 


Hostile No 
Unknown?: 

Impact: High 
Source of DCSE 
Report: 

Est. Cost 43 
(hours): 


Incident Zone: EST 


Discovered EST 
Zone: 


NASIRC Notified EDT 
Zone: 


Closed Zone: 


ITSM Zone: EST 


US-CERT Zone: 


CSO Zone: EST 
OIG Zone: EST 
CIO Zone: 

ITSO Zone: 

CCITS Zone: 

Time Limit: 30 
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PII Involved?: No PII Report Date: 
PII Disclosed By: PII Data Unknown 
Protection: 
PII Data Types: 
Scope of PII Number of 
Exposure: Unauthorized 
People with 
Access: 
PII Report Zone: 
Law No 
Enforcement/ 
IG Notified?: 
Host Information 
NASA System Information 
ask if the highlighted texts are names of individuals? 
os HW Sensitivit 
Manuf Manuf OS HW y 
acture acture Versio Versio Functi Descripti Securit Org. 
Name IP Address Admin r r n n on on yPlan CVE Port Code 
Redha Linux 916 
t TX 
Redha Linux 916 
t TX 
Redha Linux 916 
t TX 
Hostile Site Information 
IP Address hostile_site_id 
41577 
41578 
41579 
41580 
41581 
Additional Information 
SENSITIVE BUT UNCLASSIFIED. Page 2 


Sen 
sitiv 
e 
Info 

Exploit system_id ? 

Linux 7255 

ptrace 

() 

kmod 

Linux 7256 

ptrace 

() 

kmod 

Linux 7257 

ptrace 

() 

kmod 

10/4/2021 


Info 
rma 
tion 
Cat 

ego 
ry 


SER 


SER 


SER 





Cat 
ego 
ry 
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Notices 


ID 


Abbreviation noticeid Date 


No Records Found 


Summary: 


Chronology: 


NASIRC Notes: 


3/25/2004: These systems are blocked and are being investigated... 6/18/2004: Two of the three systems will be 
rebuilt and scanned in order to return to the service; the other system will be excessed. 


3/25/2004: On 2004-03-24, Code 916 reported suspicious scanning originating from a GSFC host. Upon investigation 
by the responsible system administrator,with the aide of a central logging host, three user level compromises were 
discovered. The compromises derived from recent NOAA system-level compromises. Code 297 IDS logs confirm 
several SSH sessions and a local sendmail exploit download around this time. The system administrator for the 
compromised hosts, b6, TC | contacted the user AW about SSH logins from several NOAA svstems in the 
04:00 EST hour. The user confirmed that those sessions were not legitimate. At that time, the user informe a 
of the NOAA compromises. b6, 7C has been in contact with the NOAA CIRT, who provided details about their 
compromises. The NOAA C reported to that a Linux ptrace exploit was responsible for their system-level 
compromises. b6, 7C also stated that the systems are not running Sendmail. At this time, no other exploit 
downloads have been detected. The local exploits were retrieved from a packetstorm. org mirror site, so it will not be 
considered a hostile. A number of other systems were seen conducting SSH traffic with the compromised hosts, but 
those have been identified as normal activity by SES NOAA CIRT identifed several additional hosts that were 
compromised in their network: 
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200141278 





General Information 


Record Number: 200141278 Center: GSFC 


Title: Unauthorized Access 


Contact Name: b6, TC | Contact Phone: 
Contact Center: GSFC Coordinator: b6, 7C | 


Incident Unauthorized Access Est. Cost ($): 

Category: 

Attacker: Stakkato Hostile No 
Unknown?: 


Attacker Note: 


Impact: High 

Contact Email: SETG sstc.nasa.gov 
Source of MSFC IT Security Team 
Report: 

Est. Cost 

(hours): 


Incident Dates 





Incident Date: 4/7/2004 


Discovered 4/7/2004 
Date: 


NASIRC Notified 4/8/2004 
Date: 


Closed Date: 6/7/2004 


Dates For Other Notifications 


ITSM Date: 4/17/2004 


US-CERT Date: 


CSO Date: 4/8/2004 
OIG Date: 4/8/2004 
CIO Date: 

ITSO Date: 

CCITS Date: 


PII Information 


SENSITIVE BUTUNCLASSIFIED. 


Page 1 


Incident Zone: GMT 


Discovered CST 
Zone: 


NASIRC Notified EDT 
Zone: 


Closed Zone: 


ITSM Zone: EST 


US-CERT Zone: 


CSO Zone: EST 
OIG Zone: EST 
CIO Zone: 

ITSO Zone: 

CCITS Zone: 

Time Limit: 30 


10/4/2021 
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PII Involved?: No PII Report Date: 
PII Disclosed By: PII Data Unknown 
Protection: 


PIL Data Types: 


Scope of PII Number of 

Exposure: Unauthorized 
People with 
Access: 


PII Report Zone: 






Law No 
Enforcement/ 
IG Notified?: 
Host Information 
NASA System Information 
Info 
Sen rma 
OS HW Sensitivit sitiv tion 
Manuf Manuf OS HW y e Cat Cat 
acture acture Versio Versio Functi Descripti Securit Org. Info ego ego 
Name IP Address Admin r r n n on on yPlan CVE Port Code Exploit system_id ? ry ry 
Solaris Resea 295 Undet 7271 BRT 
oftw 9 rch/Te ermine 
are) sting d 
Hostile Site Information 
IP Address hostile site id 
BIGENI 41598 
(EYRE) bY CE) 41599 
Rye) (By NE) 41600 
Additional Information 
Notices 
ID Abbreviation noticeid Date 
No Records Found 
Summary: 4/8/2004: The Deputy, ITSM was notified by NISN IT Security on 4/7/2004, at approximately 1915 hrs on 
compromised host telenet actiity with a Romanian host. The hostile site was blocked by NISN. At approximately 2000 
hrs the Deputy, ITSM was contacted by NISN IT Security and was conference called in with and 
, the Deputy, ITSM asked to block the compromised host both inbound/outbound unti 004. The 


compromised host is now off-line and blocked at the firewall. In addition the hostiles are blocked as well. The Cl 
Officer and OIG have been notified of the incident. 6/7/2004: Incident hours will be updated. 
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Chronology: 


NASIRC Notes: 


4/8/2004: Executive Summary ================= On 2004-04-07 Code 297 IDS detected unusual the execution 
of commands indicitive of a compromise inside of a telnet session involving a GSFC system and a Romanian hostile. 
Further examination of examined network traces showed the system was compromised, and most likely some time 
prior to 2004-04-07. At this time the actual method of comprimise is unknown. NISN reported unusual telnet activity 
involving the same GSFC system including "SYN, FIN, PUSH, and RST packets". While it is unusual to see packets 
with the PUSH flag set, the observed behavior was unrelated to the actual compromise of the system. Summary 
======= Network trace data from 2004-04-07 at approximately 22:16 GMT shows the hostile party logging into the 
GSFC system using the account "bellea", and then changing users to "rewt". The presence of the "rewt" account 
indicates the system was compromised prior to the observed telnet traffic. The hostile party then proceeded to 
download a Solaris root kit(the installation failed) and installed the PsyBNC IRC proxy. Data transmitted during the 
session indicates a previous login from 
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200141281 





General Information 


Record Number: 200141281 Center: GSFC 


Title: System Compromise 


Contact Name DORMO Contact Phone: 
Contact Center: GSFC Coordinator: b6,7C |] 


Incident System Compromise Est. Cost ($): 4200 

Category: 

Attacker: Stakkato Hostile No 
Unknown?: 


Attacker Note: 


Impact: High 
Source of NISN 
Report: 

Est. Cost 42 
(hours): 


Incident Dates 





Incident Date: 4/12/2004 


Discovered 4/12/2004 
Date: 


NASIRC Notified 4/13/2004 
Date: 


Closed Date: 4/16/2004 


Dates For Other Notifications 


ITSM Date: 4/12/2004 


US-CERT Date: 


CSO Date: 4/12/2004 
OIG Date: 4/12/2004 
CIO Date: 

ITSO Date: 

CCITS Date: 


PII Information 


SENSIFIMEBUTUNGLASSIFIED. 


Page 1 


Incident Zone: GMT 


Discovered GMT 
Zone: 


NASIRC Notified EDT 
Zone: 


Closed Zone: 


ITSM Zone: GMT 


US-CERT Zone: 


CSO Zone: GMT 
OIG Zone: GMT 
CIO Zone: 

ITSO Zone: 

CCITS Zone: 

Time Limit: 30 


10/4/2021 
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PII Involved?: No 


PII Disclosed By: 


PII Data Types: 


Scope of PII 
Exposure: 


Host Information 


NASA System Information 


os 


Manuf Manuf OS 
acture acture Versio Versio 







HW 


HW 


Name IP Address Admin r r n n 
ur IBM AIX 
Br IBM AIX 
Hostile Site Information 
IP Address 
Additional Information 
Notices 
SENSITIVE BUTUNCLASSIFIED. 


PII Report Date: 


PII Data Unknown 

Protection: 

Number of 

Unauthorized 

People with 

Access: 

PII Report Zone: 

Law No 

Enforcement/ 

IG Notified?: 

Sensitivit 
y 

Functi Descripti Securit Org. 
on on yPlan CVE Port Code 
Works 4242,2584 
tation 1 
Server 4242 2584 
: 1 
Applic 
ation 


hostile_site_id 
41601 
41602 


Page 2 


Info 
Sen rma 
sitiv tion 
e Cat 
Info ego 
Exploit system_id ? ry 
Not 7274 SER 
listed - 
Descri 
bed in 
Comm 
ents 
Not 7275 SER 
listed - 
Descri 
bed in 
Comm 
ents 
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Cat 
ego 
ry 
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ID 
A-04-100 


Summary: 


Chronology: 


NASIRC Notes: 


Abbreviation noticeid Date 


NASIRC 3301 14-APR-2004 


4/13/2004: Both systems and hostiles are blocked at the firewall. These systems will be rebuilt and scan before they 
are authorized back into the CNE evnironment. 6/4/2004: IRT (10) Incident hours updated.. 7/24/2004: Incident hours 
updated by affecting organization 24 hrs previously reported final report indicates 32. 


4/13/2004: A report from NISN regarding hostile probing was reported on 2004-04-12. Initial investigation reveals that 
on 2004-04-12 starting at 16:56:43 GMT, hostile attacks against port 4242/tcp were detected. At 17:00:21 and 
17:02:27 GMT on the same day, two AIX machines sustained system compromises. Another attack was seen against 
port 21/tcp on a couple of host, but those were unsuccessful. The intruder appears to have had some difficulty 


compiling source code on one of the machines and trouble FTPing files on the other. Both systems were exploited via 
Service on port 4242/tcp 
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General Information 


Record Number: 200141287 


200141287 


Center: 


Title: RISING p!.nasa.gov EEE) Compromised 


Contact Name: (b) (6), (b) (MIC) 


Contact Center: NASIRC 


Incident Unauthorized Access 
Categorv: 
Attacker: Stakkato 


Attacker Note: 


Incident Dates 


Incident Date: 4/14/2004 


Discovered 4/21/2004 
Date: 


NASIRC Notified 4/23/2004 
Date: 


Closed Date: 5/26/2004 


Dates For Other Notifications 
ITSM Date: 


US-CERT Date: 
CSO Date: 
OIG Date: 

CIO Date: 
ITSO Date: 


CCITS Date: 


PII Information 


SENSIFIMEBUTUNGLASSIFIED. 


Contact Phone: 
Coordinator: 


Est. Cost ($): 


Hostile 
Unknown?: 


Impact: 
Contact Email: 


Source of 
Report: 


Est. Cost 
(hours): 


Incident Zone: 


Discovered 
Zone: 





JPL 


1100 
No 
High 


11 


PDT 


NASIRC Notified EDT 


Zone: 


Closed Zone: 


ITSM Zone: 
US-CERT Zone: 
CSO Zone: 
OIG Zone: 

CIO Zone: 
ITSO Zone: 
CCITS Zone: 


Time Limit: 


Page 1 


30 
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PII Involved?: No PII Report Date: 
PII Disclosed By: PII Data Unknown 
Protection: 


PII Data Types: 


Scope of PII Number of 

Exposure: Unauthorized 
People with 
Access: 


PII Report Zone: 








Law No 
Enforcement/ 
IG Notified?: 
Host Information 
NASA System Information 
Info 
Sen rma 
os HW Sensitivit sitiv tion 
Manuf Manuf OS HW y e Cat Cat 
acture acture Versio Versio Functi Descripti Securit Org. Info ego ego 
Name IP Address Admin r r n n on on yPlan CVE Port Code Exploit system_id ? ry ry 
Linux Linux ITAR 486 Accou 7398 YN 
nt- a 
User 
Hostile Site Information 
IP Address hostile_site_id 
DEE 41912 
Additional Information 
Notices 
ID Abbreviation noticeid Date 
DS -10130-04- Center 3296 26-APR-2004 
Summary: 05/07/2004: 3 additional JPL systems were added per weekly incident report from EEEIEE) at JPL ES 
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Chronology: "Original Message----- : asa.gov [mailto: asa.gov] Sent: Friday, 
April 23, 2004 9:55 AM To: ha.nasa.gov; N nmo jpl.nasa.gov; asa.gov; 
jpl.nasa.gov; hq.nasa.gov; security@telchar.jpl.nas (NASIRC Ref: 
Incident Initial Notification (ID_130) INITIAL INCIDENT NOTIFICATION Investigation 
Name SI 10 10-04-2004 Incident Date:2004-04-14, 14:04 Investigator Name: 
By:External Site Computer Information: HOSTNAME | IP ADDRESS | OS | FUNCTIO 
EXPLOIT | SENS INFO | SENS INFO DESC 1. | | Linux Kernel | n/a | UA | User 
Account | Yes | ITAR Perpetrator Computer Information: RESS | CITY | STATE | COUNTRY 1. 


Ce (i ps) ERA | Bethlehem | PA | United States Sensitive Information Involved:Yes 
escription of Sensitive Information Involved:I TAR Additional Information:None. NASIRC Action:None. -----Original 
Message----- From: [mailto IE iplnasa-gov] Sent: Monday, April 26, 2004 6:10 PM To: 
nasirc@nasirc.ha.nasa.aov Cc: security@telchar.ipl.nasa.aov; ipl-ccd@imx.hq.nasa.gov; 

asa.gov; PO ss Subject: (NASIRC Ref: 107414794) 
Weekly Incident Report for 16Apro4 25 RRR RRR sears KET NEW INCIDENTS: 


1 ER KAAKA RARA KAAKA KAKAK KAK INCIDENT INFO Incident Name D o 10-04-2004 
Discovery Date:21-APR-04 Exploit Date:14-APR-04 Labor Hours:n/a Labor Cost:n/a H MS Hostile 


Name Hostile IP AFFECTED SYSTEMS Domain 
Name Jpl.nasa.gov ddress ncident Category:Unauthorized Access Exploit 
Used:User Account System OS:Linux Kernel ersion:n/a System Security Plan:486 Domain 


Name jpl.nasa.gov IP Address ie Incident Category:System Compromise Exploit 
Used:Undetermined System OS:Sun Solaris ersion:n/a System Security Plan:n/a ----- Original Message----- 


From: [mailto jpl.nasa.gov] Sent: Friday, May 07, 2004 5:46 PM To: 
nasirc@nasirc.hg.nasa.gov Cc: security jpl.nasa.gov; jpl-ccd@imx.hq.nasa.gov; 
asa.gov; asa.gov Subject: (NASIRC Ref: 107417505) 


Weekly Incident Report for 30Apr04_06May04 INCIDENT INFO Incident Name:ICE--ID131-04-2004 Discovery 
Date:27-APR-04 Exploit Date:22-APR-04 Labor Hours:n/a Labor Cost:n/a HOSTILE SYSTEMS Hostile 
Hostile IP Hostile IP 






























Notified 
TCAT| 







































































Hostile 


ECTED S jpl.nasa.gov Incident 
Category:System Compromise Exploit Used:SSL PCT1_ ystem OS:MS Windows 20 ersion:2K 










System Security Plan:304 Domain Name: jpl.nasa.gov IP Address NARA nade 
Categorv:Svstem Compromise Exploit Used: _Overflow System OS: indows 0 OS Version:2k 
System Security Plan:n/a Domain Nam rasa. ov IP Address Incident 
Categorv:Svstem Compromise Exploit Used: _ PCT1_Overflow System OS: indows 2000 OS Version:2k 


System Security Plan:273 Domain Name: jpl.nasa.gov IP Address: 
Compromise Exploit Used:SSL PCT1 Overflow System OS:MS Windows ersion:2k System Security 
Plan:383 Domain Name .jpl.nasa.gov IP Address: Incident Category:System 

Compromise Exploit Used: _Overflow System OS:MS Windows 0 OS Version:2K System Security 


Plan:85 Domain "ar Tass 99: IP Address Incident Category:System Compromise 
Exploit Used:SSL_PCT1_Overflow System OS:MS Windows ersion:2k System Security Plan:442 Domain 


Name SEE p nasa.gov IP A dar os EE Incident Category:System Compromise Exploit 
Used: 1_Overflow System OS: indows 2000 OS Version:2K System Security Plan:304 


Incident Category:System 
















NASIRC Notes: 
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General Information 


Record Number: 200141289 


200141289 


Center: 


Title: RS e Compromised 


Contact Name: (b) (6), (b) (7(C) 


Contact Center: NASIRC 


Incident Non-Incident 
Categorv: 
Attacker: Stakkato/stkto 


Attacker Note: 


Incident Dates 


Incident Date: 4/14/2004 


Discovered 4/21/2004 
Date: 


NASIRC Notified 4/26/2004 
Date: 


Closed Date: 5/27/2004 


Dates For Other Notifications 
ITSM Date: 


US-CERT Date: 
CSO Date: 
OIG Date: 

CIO Date: 
ITSO Date: 


CCITS Date: 


PII Information 


SENSIFIMEBUTUNGLASSIFIED. 


Contact Phone: 
Coordinator: 


Est. Cost ($): 


Hostile 
Unknown?: 


Impact: 
Contact Email: 


Source of 
Report: 


Est. Cost 
(hours): 


Incident Zone: 


Discovered 
Zone: 





JPL 


1100 


No 


High 
MES nasirc.nasa.gov 


11 


NASIRC Notified EDT 


Zone: 


Closed Zone: 


ITSM Zone: 
US-CERT Zone: 
CSO Zone: 
OIG Zone: 

CIO Zone: 
ITSO Zone: 
CCITS Zone: 


Time Limit: 


Page 1 


30 
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PII Involved?: No PII Report Date: 
PII Disclosed By: PII Data Unknown 
Protection: 


PIL Data Types: 


Scope of PII Number of 

Exposure: Unauthorized 
People with 
Access: 


PII Report Zone: 








Law No 
Enforcement/ 
IG Notified?: 
Host Information 
NASA System Information 
Info 
Sen rma 
os HW Sensitivit sitiv tion 
Manuf Manuf OS HW y e Cat Cat 
acture acture Versio Versio Functi Descripti Securit Org. Info ego ego 
Name IP Address Admin r r n n on on yPlan CVE Port Code Exploit system_id ? ry IV 
Sun Solaris 7400 
(Softw 9 
are) 
Hostile Site Information 
IP Address hostile_site_id 
E 41913 
Additional Information 
Notices 
ID Abbreviation noticeid Date 
ARCTICWOLF-ID130-04- Center 3295 26-APR-2004 
Summary: 05/27/2004: Corbin indicated that this is a False/Positive and part of Articwolf case (200141287). 
Chronology: -----Original Message----- From: DORE) (ORAN ip!.nasa.gov] Sent: Monday, April 26, 2004 


irc.hq.nasa.go a.gov; jpl-ccd@imx.hq.nasa.gov; 

asa.gov, (OEM; a gov Subject: (NASIRC Ref: 107414794) 
Weekiv Incident Report for 16Apr04_25Apr04 RAR FAIR NON INCIDENTS: 
q'rċikkikikkkkkkkkkkkkkkkkkkkzkkbkkkbkkkkkkkkkkkkkkkkkkkkkikixx INCIDENT INFO Incident Name SEER D 50-05-2004 
Discovery Date:21-APR-04 Exploit Date:14-APR-04 Labor Hours:n/a Labor Cost:n/a H MS Hostile 


Name Hostile IP AFFECTED SYSTEMS Domain 
Nam Jpl.nasa.gov ddress ncident Category:Unauthorized Access Exploit 
Used:User Account System OS:Linux Kernel ersion:n/a System Security Plan:486 Domain 


Name ii P| nasa.gov IP Address:137.79.125.117 Incident Category:System Compromise Exploit 
Used:Undetermined System OS:Sun Solaris 9 OS Version:n/a System Security Plan:n/a 
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NASIRC Notes: 
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200141290 
General Information 
Record Number: 200141290 Center: ARC 
Title: NAS compromise(Now part of Incident 200141309) 


Contact Name: (b) (6), (b) (7)(C) Contact Phone: 
Contact Center: ARC Coordinator: Ban 


Incident Unauthorized Access Est. Cost ($): 

Category: 

Attacker: Stakkato/stkto Hostile No 
Unknown?: 


Attacker Note: 


Impact: Unknown 
Contact Email: CREME @nasa.gov 
Source of 
Report: 
Est. Cost 
(hours): 
Incident Dates 
Incident Date: 4/22/2004 Incident Zone: 
Discovered 4/22/2004 Discovered 
Date: Zone: 
NASIRC Notified 4/26/2004 NASIRC Notified EDT 
Date: Zone: 
Closed Date: 6/3/2004 Closed Zone: 
Dates For Other Notifications 
ITSM Date: ITSM Zone: 
US-CERT Date: US-CERT Zone: 
CSO Date: CSO Zone: 
OIG Date: OIG Zone: 
CIO Date: CIO Zone: 
ITSO Date: ITSO Zone: 
CCITS Date: CCITS Zone: 
Time Limit: 30 


PII Information 
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PII Involved?: No PII Report Date: 
PII Disclosed Bv: PII Data Unknown 
Protection: 


PII Data Tvpes: 


Scope of PII Numberof 

Exposure: Unauthorized 
People with 
Access: 


PII Report Zone: 


Law No 
Enforcement/ 
IG Notified?: 
Host Information 
NASA System Information 
Info 
Sen rma 
OS HW Sensitivit sitiv tion 
Manuf Manuf OS HW y e Cat Cat 
acture acture Versio Versio Functi Descripti Securit Org. Info ego ego 
Name IP Address Admin r r n n on on yPlan CVE Port Code Exploit system_id ? ry ry 
0.0.0.0 Unkno Other Undet 7756 N/ 
wn ermine A 
d 
Hostile Site Information 
IP Address hostile_site_id 
0.0.0.0 41920 
Additional Information 
Notices 
ID Abbreviation noticeid Date 


No Records Found 


Summary: This incident is now part of Incident 200141309. 


On Thursday April 22, 2004 at approx. 4pm IT Security was notified by the security group at the NAS facility that they 
had encountered an incident with one of their supercomputers where they found a user level compromise. The OIG 
and ITSM were notified immediately. An agreement between the OIG, NAS and ITSM stated that the system would 
remain online unless evidence of a root level compromise occured. The system is currently being reviewed by the 
security team at the NAS facility 


Chronology: 


NASIRC Notes: This incident is possibly related to incidents at JPL and GSFC. 
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General Information 


Record Number: 200141299 


Title: System Compromises at JPL (JPL ID 132) 


Contact Name: PICO) 


Contact Center: NASIRC 


Incident Unauthorized Access 
Category: 
Attacker: Stakkato 


Attacker Note: 


Incident Dates 


Incident Date: 4/17/2004 


Discovered 5/4/2004 
Date: 


NASIRC Notified 5/5/2004 
Date: 


Closed Date: 3/7/2005 


Dates For Other Notifications 
ITSM Date: 


US-CERT Date: 
CSO Date: 
OIG Date: 

CIO Date: 
ITSO Date: 


CCITS Date: 


PII Information 


SENSIFIMEBUTUNGLASSIFIED. 


200141299 


Center: 


Contact Phone: 
Coordinator: 


Est. Cost ($): 


Hostile 
Unknown?: 


Impact: 
Contact Email: 


Source of 
Report: 


Est. Cost 
(hours): 


Incident Zone: 


Discovered 
Zone: 


NASIRC Notified 
Zone: 


Closed Zone: 


ITSM Zone: 
US-CERT Zone: 
CSO Zone: 
OIG Zone: 

CIO Zone: 
ITSO Zone: 
CCITS Zone: 


Time Limit: 


Page 1 





JPL 


20000 


No 


High 
SWS nasirc.nasa.gov 


200 


PDT 


EDT 


300 
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PII Involved?: No PII Report Date: 
PII Disclosed By: PII Data Unknown 
Protection: 


PII Data Types: 


Scope of PII Number of 

Exposure: Unauthorized 
People with 
Access: 


PII Report Zone: 


Law No 
Enforcement/ 
IG Notified?: 
Host Information 
NASA Svstem Information 
Info 
Sen rma 
os HW Sensitivit sitiv tion 
Manuf Manuf OS HW y e Cat Cat 
acture acture Versio Versio Functi Descripti Securit Org. Info ego ego 
Name IP Address Admin r r n n on on yPlan CVE Port Code Exploit system_id ? ry ry 
Redha Linux 506 Undet 7649 SER 
t Tx ermine CAT 
d 1 
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Sun Solaris 

(Softw 8 

are) 
SENSITIVE BUT UNCLASSIFIED. 
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132 


Passw 7705 


ord - 
Compr 
omise 
d 
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SER 
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Sun Solaris 

(Softw 2.6 

are) 
SENSITIVE BUT UNCLASSIFIED. 
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Passw 7706 
ord - 
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Redha Linux 
t T.N 
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Sun Solaris 
(Softw 2.6 
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Exploit 
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Linux Linux 
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Local 
Root 
Exploit 


7753 
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Sun Solaris 93 Local 
(Softw 2.5 Root 
are) Exploit 
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Linux Linux 
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Local 
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7835 
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Local 
Root 
Exploit 


7836 
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Sun Solaris 
(Softw 8 
are) 
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Local 
Root 
Exploit 
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SuSE Linux 
8.0 
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Redha Linux 





SENSITIVE BUT UNCLASSIFIED. Page 13 


372 


Linux 7771 
ptrace 
() 
kmod 
10/4/2021 





LE Archer eGRC 





Redha Linux 
t Tx 
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Redha Linux 
t 
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Redha Linux 
t 7.x 
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Sun SolarisSun 
(Softw 2.6 
are) 
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Local 
Root 
Exploit 
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SGI IRIX 
6.5 
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Local 
Root 
Exploit 
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Hostile Site Information 


IP Address 





hostile_site_id 
41946 
41947 
41948 
41949 
41950 
41943 
41944 
41945 
41924 
41925 
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41914 
41921 
41922 
41923 
41959 
Additional Information 
Notices 
ID Abbreviation noticeid Date 
107491869 Mail Handler 3575 14-MAR-2005 
A-04-126 NASIRC 3305 05-MAY-2004 
A-04-126-A NASIRC 3361 07-MAY-2004 
A-04-126-B NASIRC 3362 01-JUN-2004 
A-04-126-C NASIRC 3363 08-JUN-2004 
A-04-126-D NASIRC 3364 21-JUN-2004 
A-04-126-E Mail Handler 3365 22-JUN-2004 
A-04-126-F NASIRC 3366 28-JUN-2004 
A-04-126-G NASIRC 3367 19-JUL-2004 
JPL ID 132 Center 3438 09-SEP-2004 
VXSERVER-ID132-05-20 Center 3300 05-MAY-2004 
Summary: 05/05/2004: NASIRC received a report on © JPL with information regarding the compromise of NASA 
system 137.78.65.82. NASIRC issued an alert. 12004: Updated incident PER II Weekly Incident 
Report 5 additional JPL systems compromise, 2 unauthorized access, 1 undetermined category. Listed below Talked 


to INN about issuing a followup alert. He said ok QE 05/10/2004: Seperated the System Compromises, 
Unauthorized Accessed Svstems and Undetermined Categorv into three seperate incidents. (| 200141304, 
Unauthorized Access Incident 200441305, Other IT Concern Incident 200141299, System Compromise Incident 
06/25/2004: More updates added per weekly incident report. 
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Chronology: 


NASIRC Notes: 








-----Original Message----- L PER [mailto asa.gov] Sent: Wednesday, 
May 05, 2004 11:49 AM To: jpl-ccd@imx.hq.nasa.gov; jpl.nasa.gov; 
.jpl.nasa.gov; nasirc@nasirc.hq.nasa.gov; security@telchar.jpl.nasa NASIRC Ref: 
L Incident Initial Notification (ID ) INITIAL INCIDENT NOTIFICATION Investigation 
Name Incident Date:2004-04-17, 07:07 Investigator Name: 
By:NA omputer Information: HOSTNAME | IP ADDRESS | OS | FUNCTION 
SENS INFO | SENS INFO DESC 1. | | RedHat Linux 7.x | n/a | SC | Undetermined | No | 
None Perpetrator Computer Information: A ESS | CITY | STATE | COUNTRY 1. 

| n/a | PA | United States Sensitive Information Involved:No Description of 
one Additional Information:None. NASIRC Action:None. 













Notified 
T | EXPLOIT | 

















asa.gov Subject: (NASIRC Ref: 107417505) 


Weekly Incident Report for 30Apr04 06 HK KKK KKK KKK KKK KK KKK aa AA NEW 
INCIDENTS: 1 AA dA KK RK AA HR k d hk dA HH RK RRR EK HH HEHE HA ah INCIDENT INFO Incident 


Name:VXSERVER | Discovery Date:04-MAY-04 Exploit Date:17-APR-04 Labor Hours:n/a Labor 


Cost:n/a HOSTILE S ostile Name Hostile PER AFFECTED SYSTEMS 
Domain kain... PL 122.20, IP Address Incident Category:Unauthorized Access Exploit 
Used:User Account System OS:RedHat Linux 9.x OS Version:n/a System Security Plan:n/a Domain 
kala... 1252.00 IP Address, Incident Categorv:Svstem Compromise Exploit Used:Root 
account cracked Svstem OS:Sun Solaris < ersion:n/a System Security Plan:132 Domain 

Name S nase.gov IP Address TEN Incident Category:System Compromise Exploit Used:Root 
account cracked System OS:Sun Solaris 2.6 (9. ersion:n/a System Security Plan:132 Domain 

Name jpl.nasa.gov IP Address Incident Categorv:Svstem Compromise Exploit Used:Root 
account cracked Svstem OS:RedHat Linux 9.x ersion:n/a Svstem Securitv Plan:506 Domain 


Nam (EE rasa gov IP Address Incident Categorv:Unauthorized Access Exploit 
Used:User Account Svstem OS:RedHat Linux 9.x ersion:n/a System Security Plan:131 Domain 
Nam jpl.nasa.gov IP Address 


SE Incident Category:System Compromise Exploit Used:Root 
account cracked System OS:MKLinux OS Version:n/a System Security Plan:506 Domain Name: jpl.nasa.gov IP 
Address Incident Categorv:Unknown Exploit Used:Undetermined Svstem OS:RedHat Linux 9.x OS 
Version:n/a Svstem Securitv Plan:n/a Domain Name M "Lesage, IP Address SE cident 

Category:System Compromise Exploit Used:Root account cracked System OS:RedHat Linux 7.x Version:n/a 


System Security Plan:506 Domain Name: jpl.nasa.gov IP Address SERA Incident 
ndetermined System OS:RedHat Linux 7.x Version:n/a System 


Category:System Compromise Exploit Used: 
06/09/2004: -----Original Message----- From: lm Sent: 
Tuesdav, June 08, 2004 2:53 PM To: ; nasirc@nasirc.hq.nasa.gov Cc: 












































































Security Plan:506 

Subject: (NAS e: JPL incident will go beyond 30 day mark Extension 
approved. ERRA RARA 6/7/04: JPL requested extension to close. —— Original 
Message From: asa.gov] Sent: Monday, June 07, 


SONNE =o 
2004 11:23 AM To: nasirc@nasirc.hq.nasa.gov; nasa.gov Cc: 


Subject: (NASIRC Ref: 107428173) JPL incident will go beyon ay mark Upon reviewing the open incidents, 
| see that incident # 200141299 has gone beyond it s 30 mark of Jun 6th. We have added 2 new compromised hosts 
to this incident and may not be able to complete the investigation and incident summary by the deadline. 
P.S. Had to remove RE as Ames PKI seems to be unavailable - | Il forward this to him as soon as | can. — 
a. IT Security Operations Lead ETS Service Engineer JPL SAGE Chair ICIS Office, Jet Propulsion 

aboratory Public PGP key: 07/19/2004: NASIRC received the weekly incident 

















update. NASIRC up dated this incident. (MN 
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200141304 
General Information 
Record Number: 200141304 Center: JPL 
Title: Unauthorized Access of Six JPL Systems (JPL ID 132) 


Contact Name: (b) (6), (b) (7)(0) 


Contact Center: NASIRC 


Incident Unauthorized Access 
Categorv: 
Attacker: Stakkato 


Attacker Note: 


Incident Dates 
Incident Date: 4/17/2004 


Discovered 5/4/2004 
Date: 


NASIRC Notified 5/10/2004 
Date: 


Closed Date: 3/7/2005 


Dates For Other Notifications 
ITSM Date: 


US-CERT Date: 
CSO Date: 
OIG Date: 

CIO Date: 
ITSO Date: 


CCITS Date: 


PII Information 


SENSIFIMEBUTUNGLASSIFIED. 


Contact Phone: 


Coordinator: (b) (6), (b) (7(C) 


Est. Cost ($): 4800 


Hostile No 
Unknown?: 
Impact: High 


contact Email: WW nasirc.nasa.gov 
source of MEN 


Report: 


Est. Cost 48 
(hours): 


Incident Zone: 


Discovered 
Zone: 


NASIRC Notified EDT 
Zone: 


Closed Zone: EST 


ITSM Zone: 
US-CERT Zone: 
CSO Zone: 
OIG Zone: 

CIO Zone: 
ITSO Zone: 
CCITS Zone: 


Time Limit: 300 
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PII Involved?: No PII Report Date: 
PII Disclosed By: PII Data Unknown 
Protection: 


PII Data Types: 


Scope of PII Number of 

Exposure: Unauthorized 
People with 
Access: 


PII Report Zone: 


Law No 
Enforcement/ 
IG Notified?: 
Host Information 
NASA System Information 
Info 
Sen rma 
os HW Sensitivit sitiv tion 
Manuf Manuf OS HW y e Cat Cat 
acture acture Versio Versio Functi Descripti Securit Org. Info ego ego 
Name IP Address Admin r r n n on on yPlan CVE Port Code Exploit svstem id ? ry ry 
Redha Linux Accou 7720 SER 
t nt - CAT 
User 1 
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Accou 7721 
nt- 
User 
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Sun Solaris 
(Softw 8 
are) 
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nt- 
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Sun Solaris 
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SGI SGI IRIX 
6.5 
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Hostile Site Information 

IP Address hostile_site_id 
41936 
41937 
41938 
41939 
41940 
41941 
41942 
41926 
41927 
41928 
41929 
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41930 
41935 
41618 
41960 
Additional Information 
Notices 
ID Abbreviation noticeid Date 
107491869 Mail Handler 3576 14-MAR-2005 
A-04-126 NASIRC 3368 05-MAY-2004 
A-04-126-A NASIRC 3369 07-MAY-2004 
A-04-126-B NASIRC 3370 01-JUN-2004 
A-04-126-C NASIRC 3371 08-JUN-2004 
A-04-126-D NASIRC 3372 21-JUN-2004 
A-04-126-E NASIRC 3373 22-JUN-2004 
A-04-126-F NASIRC 3374 28-JUN-2004 
A-04-126-G NASIRC 3375 19-JUL-2004 
JPL ID 132 Center 3439 09-SEP-2004 
VXSERVER-ID132-05-20 Center 3306 25-JUN-2004 
Summary: 05/10/2004: Seperated the System Compromises, Unauthorized Accessed Systems and Undetermined Category into 
three seperate incidents. h 200141304, Unauthorized Access Incident 200441305, Other IT Concern Incident 
200141299, System Compromise Incident 
Chronology: ——— Original Message----- From: [mailt enigma.jpl.nasa.gov] Sent: Friday, May 07, 2004 










5:46 PM To: nasirc@nasirc.hq.nasa.go : a.gov; jpl-ccd@imx.hq.nasa.gov; 
asa.gov; asa.gov Subject: (NASIRC Ref: 107417505) 
UApr04_06May04 kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk NE 
INCIDENTS: 1 kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk INCIDENT INFO Incident 
Name:VXSERVER-ID132-05-2004 Discovery Date:04-MAY-04 Exploit Date:17-APR-04 Labor Hours:n/a Labor 


Cost:n/a HOSTILE SYSTEMS Hostile Name Hostile TS AFFECTED SYSTEMS 
Domain Name SEE io! nasa.gov IP Address Incident Category:Unauthorized Access Exploit 
Used:User Account System OS:RedHat Linux 9.x OS Version:n/a System Security Plan:n/a Domain 

Name S Gl eea ge, IP Address, Incident Categorv:Svstem Compromise Exploit Used:Root 
account cracked Svstem OS:Sun Solaris : ersion:n/a System Security Plan:132 Domain 

Name RA je! naso. g0v IP Address KIRI Incident Categorv:Svstem Compromise Exploit Used:Root 
account cracked Svstem OS:Sun Solaris 2.6 (5. ersion:n/a Svstem Securitv Plan:132 Domain 

Name jpl.nasa.gov IP Address Incident Categorv:Svstem Compromise Exploit Used:Root 
account cracked Svstem OS:RedHat Linux 9.x ersion:n/a Svstem Securitv Plan:506 Domain 

Name AI rasa. go IP Address: SRE Incident Category:Unauthorized Access Exploit 
Used:User Account System OS:RedHat Linux 9.x ersion:n/a System Security Plan:131 Domain 

Name BA aal IP Address: Incident Category:System Compromise Exploit Used:Root 
account cracked System OS:MKLinux OS Version:n/a System Security Plan:506 Domain Name: pl nasa.gov IP 
Address: a Incident Category:Unknown Exploit Used:Undetermined System OS:RedHat Linux 9.x OS 
Version:n/a System Security Plan:n/a Domain Name jpl.nasa.gov IP Address INI cint 
Category:System Compromise Exploit Used:Root account cracked System OS:RedHat Linux 7.x Version:n/a 
System Security Plan:506 Domain Name EE io! na<a.cc IP Rees... Incident 
Category:System Compromise Exploit Used:Undetermined System OS:RedHat Linux 7.x Version:n/a System 
Security Plan:506 
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NASIRC Notes: 06/09/2004 ----- Original Message----- From: [mailto nasa.gov] Sent: Tuesday, 
June 08, 2004 2:53 PM To: nasirc@nasirc.hq.nasa.gov Cc: E 
Subject: (NASIRC Ref: 107 e: incident will go beyond 30 day mark Extension approved. : 


NASIRC received the JPL weekly incident update. NASIRC up dated this incident. (LS) 
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200141305 





General Information 


Record Number: 200141305 Center: JPL 


Title: CG ;p!.nasa.gov Category Non-Incident 
Contact Name: (b) (6), (b) (7)(0) Contact Phone: 
Contact Center: NASIRC Coordinator: (b) (6), (b) (NIC) 


Incident Non-Incident Est. Cost ($): 100 

Categorv: 

Attacker: Stakkato Hostile No 
Unknown?: 


Attacker Note: 


Impact: High 


Contact Email: MEDS nasirc.nasa.gov 
Source of [a 


Report: 
Est. Cost 1 
(hours): 
Incident Dates 
Incident Date: 4/17/2004 Incident Zone: 
Discovered 5/4/2004 Discovered 
Date: Zone: 
NASIRC Notified 5/10/2004 NASIRC Notified EDT 
Date: Zone: 
Closed Date: 6/8/2004 Closed Zone: 
Dates For Other Notifications 
ITSM Date: ITSM Zone: 
US-CERT Date: US-CERT Zone: 
CSO Date: CSO Zone: 
OIG Date: OIG Zone: 
CIO Date: CIO Zone: 
ITSO Date: ITSO Zone: 
CCITS Date: CCITS Zone: 
Time Limit: 30 


PII Information 
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PII Involved?: No PII Report Date: 
PII Disclosed By: PII Data 
Protection: 
PII Data Types: 
Scope of PII Number of 
Exposure: Unauthorized 
People with 
Access: 
PII Report Zone: 
Law No 
Enforcement/ 
IG Notified?: 
Host Information 
NASA System Information 
os HW Sensitivit 
Manuf Manuf OS HW y 
acture acture Versio Versio Functi Descripti Securit 








Name IP Address Admin r r n n on on yPlan CVE Port 
Redha Linux 
t 
Linux 506 
Linux 506 
Hostile Site Information 
IP Address hostile_site_id 
(b) (6), (b) (7)(E) 41915 
Additional Information 
Notices 
ID Abbreviation noticeid 
(b) (6), (b) E) — Center 3303 
SENSITIVE BUTLUNCLASSIEIED Page 2 


Unknown 





Info 
Sen rma 
sitiv tion 
e Cat 
Org. Info ego 
Code Exploit system_id ? ry 
Undet 7719 
ermine 
d 
7778 
7779 
Date 
01-JUN-2004 
10/4/2021 


Cat 
ego 
ry 
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Summary: 


Chronology: 


NASIRC Notes: 





06/21/04: Added and to this incident issued follow-up to change category to non-incident, ok d with 
was a false positive. User had legit accounts on NAS and all were accounted for. 
5/10/2004: Entered this incident as an Other IT Concern because the category was Undetermined. | 
04: Seperated the System Compromises, Unauthorized Accessed Systems and Undetermined Category into 
three seperate incidents. ' 200141304, Unauthorized Access Incident 200441305, Other IT Concern Incident 


200141299, System Compromise Incident 


— Original Message----- From: ETS [mailto H D ess 00") Sent: Friday, May 07, 2004 
5:46 PM To: nasirc@nasirc.hq.nasa.gov Cc: security@telchar.jpl.nasa.gov; jpl-ccd@imx.hq.nasa.gov; 
asa.gov; (GSO asa.gov Subject: (NASIRC Ref: 107417505) 


Weekly Incident Report for 30Apr04 06May04 kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk NEW 
INCIDENTS: 1 kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkokkkkkkkkkkkkkkkkkkkkkkkkkkk INCIDENT INFO Incident 


Name S Discoverv Date:04-MAV-04 Exploit Date:17-APR-04 Labor Hours:n/a Labor 
Cost:n/a S ostile Name Hostile PREISE AFFECTED SYSTEMS 
Domain kai, rasa go IP Address Incident Categorv:Unauthorized Access Exploit 
Used:User Account System OS:RedHat Linux 9.x OS Version:n/a System Security Plan:n/a Domain 

Name S Gl eea ge, IP Address, Incident Categorv:Svstem Compromise Exploit Used:Root 
account cracked Svstem OS:Sun Solaris | ersion:n/a System Security Plan:132 Domain 

Name ipi.n2s2.0 IP Address KONI Incident Category:System Compromise Exploit Used:Root 
account cracked System OS:Sun Solaris 2.6 (9. ersion:n/a System Security Plan:132 Domain 

Name jpl.nasa.gov IP Address Incident Categorv:Svstem Compromise Exploit Used:Root 
account cracked Svstem OS:RedHat Linux 9.x ersion:n/a Svstem Securitv Plan:506 Domain 

Nam jpl.nasa.gov IP Address Incident Categorv:Unauthorized Access Exploit 
Used:User Account Svstem OS:RedHat Linux 9.x ersion:n/a Svstem Securitv Plan:131 Domain 

Name M ji. nasa.gov IP Address: Incident Category:System Compromise Exploit Used:Root 
account cracked System OS:MKLinux OS Version:n/a System Security Plan:506 Domain "eine HR pL esa os IP 
Address ia Incident Category:Unknown Exploit Used:Undetermined System OS:RedHat Linux 9.x OS 
Version:n/a System Security Plan:n/a Domain Name 1252 ov IP Address SR Incident 
Category:System Compromise Exploit Used:Root account cracked System OS:RedHat Linux 7.x Version:n/a 
System Security Plan:506 Domain Name: jpl.nasa.gov IP Res... Incident 
Category:System Compromise Exploit Used:Undetermined System OS:RedHat Linux 7.x Version:n/a System 
Security Plan:506 06/08/2004: Bi was a false positive. User had legit accounts on NAS and all were accounted for. 


(Corbin) 
6/8/04: JPL changed category for to non-incident. 6/18/04: JPL reporte ci and 
6/22/04: Per add AND to this incident and issue follow-up ale 


systems as being non-incidents. m. 







06/08 : 










































































as False alarm. 
-126 to record these 
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200141309 
General Information 
Record Number: 200141309 Center: ARC 
Title: Supercomputer Root Compromise (amalthea, time, Lou, touring, Helios1) 


Contact Name: (b) (6), (b) (7)(C) 


Contact Center: ARC 


Incident Unauthorized Access 
Categorv: 
Attacker: Stakkato 


Attacker Note: 


Incident Dates 


Incident Date: 5/19/2004 


Discovered 5/19/2004 
Date: 


NASIRC Notified 5/21/2004 
Date: 


Closed Date: 10/12/2005 


Dates For Other Notifications 
ITSM Date: 5/20/2004 


US-CERT Date: 


CSO Date: 5/19/2004 
OIG Date: 5/20/2004 
CIO Date: 

ITSO Date: 

CCITS Date: 


PII Information 


SENSIFIMEBUTUNGLASSIFIED. 


Contact Phone: 
Coordinator: 


Est. Cost ($): 1130450 


Hostile No 

Unknown?: 

Impact: Unknown 

Contact Email: ES nasa.gov 
Source of 

Report: 

Est. Cost 11304.5 

(hours): 


Incident Zone: PDT 


Discovered PDT 
Zone: 


NASIRC Notified EDT 
Zone: 


Closed Zone: 


ITSM Zone: 
US-CERT Zone: 
CSO Zone: 
OIG Zone: 

CIO Zone: 
ITSO Zone: 
CCITS Zone: 


Time Limit: 510 
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PII Involved?: No PII Report Date: 
PII Disclosed By: PII Data Unknown 
Protection: 


PII Data Types: 


Scope of PII Number of 

Exposure: Unauthorized 
People with 
Access: 


PII Report Zone: 


Law No 
Enforcement/ 
IG Notified?: 
Host Information 
NASA System Information 
Info 
Sen rma 
os HW Sensitivit sitiv tion 
Manuf Manuf OS HW y e Cat 
acture acture Versio Versio Functi Descripti Securit Org. Info ego 
Name IP Address Admin r r n n on on yPlan CVE Port Code Exploit system_id ? ry 
SGI IRIX IN Accou 7724 N/ 
nt- A 
User 
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Packa x tation 
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Hostile Site Information 

IP Address hostile_site_id 
42070 
42071 
42072 
42077 
42197 
42059 
42060 
42061 





Additional Information 
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Notices 

ID Abbreviation noticeid Date 
A-04-138 NASIRC 3302 21-MAY-2004 
A-04-138-A NASIRC 3500 12-NOV-2004 
A-04-138-B NASIRC 3509 24-NOV-2004 
A-04-138-C NASIRC 3510 01-DEC-2004 
A-04-138-D NASIRC 4603 10-MAR-2005 
A-04-138-E NASIRC 4604 11-MAR-2005 
A-04-138-F NASIRC 4602 12-OCT-2005 
USCERT#870831 CERT Team 3511 01-DEC-2004 
Summary: 10/12/2005: 200141309 & 200141486 should have been combined. Please reference both. - These two svstems 


are currentiv isolated and under investigation. Block all MIT user access to turing.nas.nasa.gov. 
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Chronology: 


Time: The wtmp on time shows a root login from amalthea.arc on 5/21 at 4:56am which was unauthorized. The logs 
on the system show a rshd execution as root of "sh -i" at 4:55am, then a root "rcp -t /usr/bin" at 4:55, and a root rlogin 
at 4:56am. A binary called zap was found in /usr/bin timestamped 4:55 which had been rcp d in from amalthea. The 
mtime on /etc/shadow was 5/21 at 4:56am, and it was found that a password had been added to the normally locked 
sysadm account at that time. A .sh_history owned by root was found in / containing commands such as "zap root" 
which uses his tool to erase root s login and "ssh sysadm@localhost id" to verify his sysadm root backdoor. It also 
contained "rm /etc/hosts.denv'. Friday, Nov. 12th, 2004 - In response from message "Delivered-To: 
hq.nasa.gov X-Envelope-From: ncsa.uiuc.edu Date: Fri, ov 2004 01:07:31 -0600 From: 
o: nasirc@nasirc.hq.nasa.gov, asa.gov cr MTA Subject: another hit User-Agent: 
.2i X-NCSA-MailScanner-Information: Please contact the help@ncsa.uiuc.edu for more information 
SA-MailScanner: Found to be clean Hate to always be the bearer of bad news, but might have another hot one 
for you. The following was downloaded today: >198.9.15.21 - - [11/Nov/2004:09:30:30 -0500] "GET 
lopenssh-3.7.1p2.tar.gz HTTP/1.0" 200 792723 [turing.nas.nasa.gov] That s all (from NASA at least :). Be 
plications Voice 


Head of Security Operations and Incident Response National Center for Supercomputing Ap 
East Springfield Avenue Champaign, IL 61820 Cell : SIG) 


htip-/www.ncsa.uiuc.edu/ MB Fax : 






























—— mmm mP@ SS: RSR Special Agent Phone: 
NEBEN Computer Crimes Division Fax: (818) 393-3000 Western Region Cell: NASA Office of 
nspector General 24 HR: (818) 354-0160 " Per NAS facility investigation: It has been confirmed that a user account 
at MIT has been compromised. User 
disabled for now. Tuesday, November 16, er 
of MIT accessed Turing. Bu) 11/05/04 12:42 UTC from 
fiord.mit.edu. - 4 20:24 UTC from IP swamp.mit.edu Also access attempts from 
an . sannino - 09/07/04 09:25 nat-75-158.casaccia.enea.it. 
sannino - 4 06: TC from b o icivO.casaccia.enea.it. dec 
----- Original Message----- From: US-C mailto:soc@us-cert.gov] Sent: Wednesday, December 01, 2004 10:58 AM 
To: bulletin@nasirc.hq.nasa.gov Cc: NASIRC; soc@us-cert.gov Subject: (NASIRC Ref: 107462433) Re: (High:SGI 
IRIX) [NASIRC A-04-138-C] US-CERT has recieved your incident report and has been assigned USCERT#870831 for 
future reference. Thank you for your report, US-CERT Security Operations Center 888-282-0870 soc@us-cert.gov 
www.us-cert.gov ACL ---------------—---------------------------- Templar / Camelot Incident - 3/7/2005 Summary: Two 
machines on the private network and one machine at the NAS had user level compromises on 2/23/2005, 
from UIUC contacted us and let us know that a system known as Templar could have been compromise 
recently. | examined the system on 3/4/2005, and found that the dgomez account was illegally accessed on 2/23/05 at 
3:32am from a machine called verlet.stanford.edu. On 2/23/05, from 3:32am until 3:43am, the attacker was logged in. 
From 3:34am until 3:37am, the attacker used the same pa ssword as Templar used to access Camelot.arc.nasa.gov. 
On Templar the history file was deleted, but on Camelot, the attacker forgot to remove his history file, allowing us to 
see the commands he entered. Analysis of the file system confirmed that the commands in the history were an 
accurate representation of the activities performed on the system by the intruder. On Templar, not much evidence of 
the break in was left. There was the wtmp entry, which stated: verlet.stanford.edu Wed Feb 23 03:32 - 
03:43. A file in home directory, ssh.a.scr was last read on 05 at 3:37am. On Camelot, the following 
wtmp entry was left: templar.arc.nasa.gov Wed Feb 23 03:34 - 03:37 In eee on Camelot, a .history 
file was left with an mtime o 2005 at 3:37am. The last part of this .history file contains the attackers commands. 
Also on Camelot, a authorized_keys and authorized_keys2 file was left at 3:36am. The key put into these files is a 
backdoor allowing remote access to the dgomez account. The atimes on the authorized_keys files matched the 
mtimes, indicating that the backdoor had never been used. On both Camelot and Templar, the compilers had been 
used to build nfsshell.tar.gz, which was run in an attempt to exploit more NFS servers on the private network. The tool 
was downloaded using a HTTP request via wget from www.cs.vu.nl. Lou.nas.nasa.gov was accessed briefly via the 
account on 2/23/2005 at 3:39am. There are no signs in of this unauthorized access in on Lou. 
ince the machine verlet.stanford.edu was the source of the attacks and was located nearby physically, | had the 
admin bring it to Ames to see if there was any additional evidence there. It was apparent that Verlet had been root 
compromised - The logs had been edited to remove the intruders entries, but there were also connections from 
root@127.0.0.1 at the same time that the ssh client was patched, confirming that the intruder was logged in at the 
time. A Is -l of /usr/bin/ssh showed a mtime in 2003, but the ctime of 2/22/2005 at 6:34am. It is almost certain that the 
patched ssh was installed on 2/22, one day before Templar, Camelot, and Lou were accessed. also 
used his Columbia account from the compromised host. The ssh binary was recovered and is included wi is 
report. Also included is the .history which was recovered, and some Is output showing that some files were accessed 
at 3:30 in the morning on 2/23/05. Based on the commands executed, time of day, and familiar modus operandi, it 
appears that the attacker is Stakkato. 







. Noticed SETUID programs.. All MIT user accounts have been 
reported, user account and 
sea.mit.edu and | 
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NASIRC Notes: 


10/12/2005: 200141309 & 200141486 should have been combined. Please reference both. 6/4/04: Contacted 
regarding the addition of amalthea, time and turing to this record. He said that investigation is going on and 

as more information is available it will be added he said he did not enter this. (I told him | called him as the record has 

his name on it.) NASIRC will wait a while before updating the alert A-04-138 to allow more information to be entered. 


m. 07/19/2004: ee approved an extension request from . The email request and approval 
emails can be found in the complete folder. a 11/16/2004: sensors2.gsfc.nasa.gov was deleted as 
a hostile site. (MM 
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General Information 


Record Number: 200141312 
Title: Misconfigured NFS 


Contact Name: (b) (6); (b) (7)(C) 


Contact Center: ARC 


Incident Other IT Concerns 
Categorv: 
Attacker: Stakkato 


200141312 


Center: 


Contact Phone: 
Coordinator: 


Est. Cost ($): 


Hostile 
Unknown?: 





ARC 


7400 


No 


Attacker Note: A directory was created under a user on May 20 17:20 with Stakkato_was_here. The partition was later found to be 


world writable. 


Incident Dates 
Incident Date: 5/20/2004 


Discovered 5/21/2004 
Date: 


NASIRC Notified 5/25/2004 
Date: 


Closed Date: 6/30/2004 


Dates For Other Notifications 
ITSM Date: 5/21/2004 


US-CERT Date: 

CSO Date: 5/21/2004 
OIG Date: 

CIO Date: 

ITSO Date: 


CCITS Date: 


PII Information 


SENSITIVE BUTUNCLASSIEIED 


Impact: 
Contact Email: 


Source of 
Report: 


Est. Cost 
(hours): 


Incident Zone: 


Discovered 
Zone: 


NASIRC Notified 
Zone: 


Closed Zone: 


ITSM Zone: 
US-CERT Zone: 
CSO Zone: 
OIG Zone: 

CIO Zone: 
ITSO Zone: 
CCITS Zone: 


Time Limit: 


Page 1 


Low 


PDT 
PDT 


EDT 


30 
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PII Involved?: No PII Report Date: 
PII Disclosed By: PII Data Unknown 
Protection: 


PIL Data Types: 


Scope of PII Number of 

Exposure: Unauthorized 
People with 
Access: 


PII Report Zone: 





Law No 
Enforcement/ 
IG Notified?: 
Host Information 
NASA Svstem Information 
Info 
Sen rma 
os HW Sensitivit sitiv tion 
Manuf Manuf OS HW y e Cat Cat 
acture acture Versio Versio Functi Descripti Securit Org. Info ego ego 
Name IP Address Admin r r n n on on yPlan CVE Port Code Exploit system_id ? ry IV 
Sun Sun. SolarisSun SGE 7758 
(Softw (Hard 7 
are) ware) 
Hostile Site Information 
IP Address hostile_site_id 
0.0.0.0 41919 
Additional Information 
Notices 
ID Abbreviation noticeid Date 


No Records Found 


Summary: Reeneabled restriction on shared partitions. 
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Chronology: 


NASIRC Notes: 


On May 21, 2004 the system admin has notified IT Security regarding a malicious directory, "stakkato_was_here", 
was created on their system. After the console review and investigation, IT Security determined that this system was 
not compromise other than a misconfigured NFS. The system admin might have accidentially enabled two world 
writable partition which allowed anyone to mount the partition and created this directory. Also, the malicious directory 
was created under a non privillege user. No evidience found to support that the system was compromised. Kosmos: 
On April 29, 2004 at 15:43, the system administrator accidentiv shared two directories to everyone using the Solaris 
share command. On 5/20 at 17:19, an attacker mounted /mnt3 and created two empty directories - One named x and 
the other stakkato_was_here. No other files were read or written to during that time period, and the directories were 
unmounted at 17:21. There is no sign of unauthorized OS access to this system, and no way to determine which 
system mounted the drive. Inmon did not show which system mounted the drive, probably because this system is 
connected to the same switch that other compromised systems were connected to, so traffic from the WEINE x 
subnet does not have to flow through any distributor switch or traffic logging device. 


6/4/04: Called EEA as the information entered indicates this is a Stakkato event, however, it is listed as an 
Other ITS Concern. He said he didn t know what to call it as it wasn t a system compromise or user, even though 
under a "user a directory was created on May 20 17:20 with Stakkato_was_here." The partition was later found to be 
world writable. | told that the NASA community would not be seeing this event related to Stakkato as an alert as 
we don t issue alerts for Other ITS Concerns. B 
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General Information 


Record Number: 200141324 


Title: Supercomputer User Compromise 


Contact Name: (b) (6), (b) (7)(C) 


Contact Center: ARC 


Incident Unauthorized Access 
Categorv: 
Attacker: Stakkato/stkto 


Attacker Note: 


Incident Dates 


Incident Date: 5/20/2004 


Discovered 5/24/2004 
Date: 


NASIRC Notified 6/3/2004 
Date: 


Closed Date: 1/19/2005 


Dates For Other Notifications 
ITSM Date: 


US-CERT Date: 
CSO Date: 
OIG Date: 

CIO Date: 
ITSO Date: 


CCITS Date: 


PII Information 


SENSIFIMEBUTUNGLASSIFIED. 


200141324 


Center: ARC 


Contact Phone: 


Coordinator: (6) (6), (6) (7XC) 


Est. Cost ($): 2000 


Hostile No 

Unknown?: 

Impact: High 

Contact Email: SHE 252.907 
Source of 

Report: 

Est. Cost 20 

(hours): 


Incident Zone: PST 


Discovered PST 
Zone: 


NASIRC Notified EDT 
Zone: 


Closed Zone: 


ITSM Zone: 
US-CERT Zone: 
CSO Zone: 
OIG Zone: 

CIO Zone: 
ITSO Zone: 
CCITS Zone: 


Time Limit: 210 
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PII Involved?: No PII Report Date: 
PII Disclosed By: PII Data Unknown 
Protection: 


PII Data Types: 


Scope of PII Number of 

Exposure: Unauthorized 
People with 
Access: 


PII Report Zone: 


Law No 
Enforcement/ 
IG Notified?: 
Host Information 
NASA System Information 
Info 
Sen rma 
os HW Sensitivit sitiv tion 
Manuf Manuf OS HW y e Cat 
acture acture Versio Versio Functi Descripti Securit Org. Info ego 
Name IP Address Admin r r n n on on yPlan CVE Port Code Exploit system_id ? ry 
Linux Linux A ACCOU 7757 N/ 
nt- A 
User 
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Accou 7761 
nt- 
User 
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Linux Linux 








Page 4 


A 


Accou 7762 
nt- 
User 
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Linux Linux 
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Accou 7763 
nt- 
User 
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Hostile Site Information 


IP Address hostile_site_id 
0.0.0.0 42132 


Additional Information 


Notices 


ID Abbreviation noticeid Date 


No Records Found 
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Summary: 


Chronology: 


NASIRC Notes: 


CVD: An unauthorized access occurred under the username shull for SE - The login lasted two 
minutes and very few files on this system had an atime last recorded between those two minutes, so very little was 
probably accessed. /scr2/LOGS/maillog shows a sshd connection inbound using Rhosts / RSA Authentication from 
‚then a telnetd connection from localhost a minute later, and a refused sshd connection 3 minutes later from 

. No backdoors or sign of root compromise was found. =============== Several systems 
on the private were accessed without authorization via SSH on 5/20 and 5/21. The breakins took advantage of SSH 
keys which were not locked with a password, allowing access from trusted machines. BEDA and 

were compromised, and the attacker switched to several accounts in order to leverage trust 

relationships with machines on the private network. The systems | have looked at so far did not appear to have root 
level compromises, probablv because all OS patches were up to date. The attacker uses the following hidden 
directories: ... and ,. located in / and /tmp. He attempts to delete them when he is finished, but sometimes forgets. He 
also sometimes forgets to remove his .sh historv, which provided some useful information. On RENE the account 


of was compromised from and touring.nas.nasa.gov. The attacker logged in to 
at the same time the real was logged in. The .sh_history file shows that the attacker was 
using the command "klist" to list any active kerberos tickets. These tickets are created with a SecurelD card and used 


to log into classified Department of Defense supercomputers. After a recent compromise, the Department of Defense 
changed the Kerberos tickets to last only 5 minutes instead of ten hours. The attacker was checking who was idle on 
the system with w frequently, and if he saw activity he would run klist to see if any valid kerberos tickets could be 
abused. The attacker would also look at /etc/kr* for kerberos configuration information. Since the attacker was using 
the same source IP as the actual user and was logged in at the same time, it is difficult to determine which logins 
were authorized. There is however solid evidence that several of the connections were unauthorized. The attacker 
gains access to systems mostly by leveraging trust relationships between machines. He determined these by looking 
at /etc/hosts.equiv, /etc/hosts.allow, users .rhosts files, and users .ssh/known_hosts files, as well as watching where 
currently logged in users were connecting to. He uses a tool called "nfsshell" which exploits known weaknesses in the 
NFS protocol to compromise and steal files from NFS servers, and also scans the local network for samba 
vulnerabilities. He installed a log wiper in /usr/bin/zap and a local root backdoor in /usr/bin/foosh. Often he erases logs 
entirely once obtaining root access. Many of the compromised systems received connections from 


BG EE)" and (b) (6) ONE). After we had blocked inbound SSH, he verified that it was still 
ocked by making inbound ssh connections from |) o (5) (Es) 


CVD: An unauthorized access occurred under the username shull for a. The login lasted two 
minutes and very few files on this system had an atime last recorded between those two minutes, so very little was 
probably accessed. /scr2/LOGS/maillog shows a sshd connection inbound using Rhosts / RSA Authentication from 
lou, then a telnetd connection from localhost a minute later, and a refused sshd connection 3 minutes later from 





















. No backdoors or sign of root compromise was found. =============== Several systems 
on the private were accessed without authorization via SSH on 5/20 and 5/21. The breakins took advantage of SSH 
keys which were not locked with a password, allowing access from trusted machines. and 


IEEE were compromised, and the attacker switched to several accounts in order to leverage trust 
relationships with machines on the private network. The systems | have looked at so far did not appear to have root 
level compromises, probably because all OS patches were up to date. The attacker uses the following hidden 
directories: ... and ,. located in / and /tmp. He attempts to delete them when he is finished, but sometimes forgets. He 
also sometimes forgets to remove his .sh history, which provided some useful information. On apm-iris3, the account 
of was compromised from and BRONZE. The attacker logged in to 
apm-iris3 at the same time the real was logged in. The .sh_history file shows that the attacker was 
using the command "klist" to list any active kerberos tickets. These tickets are created with a SecurelD card and used 
to log into classified Department of Defense supercomputers. After a recent compromise, the Department of Defense 
changed the Kerberos tickets to last only 5 minutes instead of ten hours. The attacker was checking who was idle on 
the system with w frequently, and if he saw activity he would run klist to see if any valid kerberos tickets could be 
abused. The attacker would also look at /etc/kr* for kerberos configuration information. Since the attacker was using 
the same source IP as the actual user and was logged in at the same time, it is difficult to determine which logins 
were authorized. There is however solid evidence that several of the connections were unauthorized. The attacker 
gains access to systems mostly by leveraging trust relationships between machines. He determined these by looking 
at /etc/hosts.equiv, /etc/hosts.allow, users .rhosts files, and users .ssh/known_hosts files, as well as watching where 
currently logged in users were connecting to. He uses a tool called "nfsshell" which exploits known weaknesses in the 
NFS protocol to compromise and steal files from NFS servers, and also scans the local network for samba 
vulnerabilities. He installed a log wiper in /usr/bin/zap and a local root backdoor in /usr/bin/foosh. Often he erases logs 
entirely once obtaining root access. Many of the compromised systems received connections from 

and . After we had blocked inbound SSH, he verified that it was still 
ocked by making inbound ssh connections from (GSS) and 


07/19/2004: DET approved an extension request from BIS. The email request and approval 


emails can be found in the complete folder. (LS) 
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200141359 
General Information 
Record Number: 200141359 Center: JPL 
Title: Unauthorized Access of helios.jpl.nasa.gov (JPL ID 140) 


Contact Name: (b) (6), (b) (NE) 


Contact Center: NASIRC 


Incident Unauthorized Access 
Categorv: 
Attacker: Stakkato 


Attacker Note: 


Incident Dates 
Incident Date: 7/11/2004 


Discovered 7/15/2004 
Date: 


NASIRC Notified 7/15/2004 
Date: 


Closed Date: 9/29/2004 


Dates For Other Notifications 
ITSM Date: 


US-CERT Date: 
CSO Date: 
OIG Date: 

CIO Date: 
ITSO Date: 


CCITS Date: 


PII Information 


SENSIFIMEBUTUNGLASSIFIED. 


Contact Phone: 


Coordinator: (b) (6), (b) (7)(E) 


Est. Cost ($): 1200 


Hostile No 
Unknown?: 
Impact: High 


Contact Email: nasa.gov 
Source of BSD 


Report: 


Est. Cost 12 
(hours): 


Incident Zone: PDT 


Discovered PDT 
Zone: 


NASIRC Notified EDT 
Zone: 


Closed Zone: EDT 


ITSM Zone: 
US-CERT Zone: 
CSO Zone: 
OIG Zone: 

CIO Zone: 
ITSO Zone: 
CCITS Zone: 


Time Limit: 30 


Page 1 
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PII Involved?: No PII Report Date: 
PII Disclosed By: PII Data Unknown 
Protection: 


PIL Data Types: 


Scope of PII Number of 

Exposure: Unauthorized 
People with 
Access: 


PII Report Zone: 





Law No 
Enforcement/ 
IG Notified?: 
Host Information 
NASA Svstem Information 
Info 
Sen rma 
Os HW Sensitivit sitiv tion 
Manuf Manuf OS HW y e Cat Cat 
acture acture Versio Versio Functi Descripti Securit Org. Info ego ego 
Name IP Address Admin r r n n on on yPlan CVE Port Code Exploit system_id ? ry IV 
Sun Solaris 132 Accou 7832 PU 
(Softw 2.6 nt- B 
are) User 
Hostile Site Information 
IP Address hostile_site_id 


EEES 41957 





Additional Information 


Notices 

ID Abbreviation noticeid Date 
A-04-168 NASIRC S 15-JUL-2004 
HELIOS-ID140-07-2004 Center 3312 15-JUL-2004 
JPL ID 140 Center 3440 09-SEP-2004 
Summary: 9/28: WEN listed this incident in the closed section of JPL s weekly update. jil 
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Chronology: ~-~- Original Message----- From: BENENNEN = >> [mailto nasa.gov] Sent: Thursday, 
July 15, 2004 1:35 PM To: jpl-ccd@imx.hq.nasa.gov; nasa.gov; nasa.gov; 
FR "252.00 nasirc@nasirc.hq.nasa.gov; security@telchar.jpl.nasa.gov Subject: (NASIRC Ref: 


ncident Initial Notification (ID_140) INITIAL INCIDENT NOTIFICATION Investigation 
Name:HELIOS-ID140-07-2004 Incident Date:2004-07-11, 07:14 Investigator Name: 
JPL Computer Information: HOSTNAME | IP ADDRESS | OS | FUNCTION | INCID 
| SENS INFO DESC 1 | | Sun Solaris 2.6 (5.6) | n/a | UA | User Account | No | None 
Perpetrator Computer Information: | IP ADDRESS | CITY | STATE | COUNTRY 1. 


EERO EEE | Tucson | AZ | United States Sensitive Information 
nvolved:No Description of Sensitive Information Involved:None Additional Information:None. NASIRC Action:None. 














Notified By: NASIRC 
PLOIT | SENS INFO 










NASIRC Notes: 
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200141374 
General Information 
Record Number: 200141374 Center: 
Title: Unauthorized Access of Five JPL Systems (JPL ID 142) 


Contact Name: (b) (6), (b) (7)(0) 


Contact Center: NASIRC 


Incident Unauthorized Access 
Categorv: 
Attacker: Stakkato 


Attacker Note: 


Incident Dates 
Incident Date: 7/20/2004 


Discovered 7/20/2004 


Date: 


NASIRC Notified 7/21/2004 


Date: 
Closed Date: 9/30/2004 


Dates For Other Notifications 
ITSM Date: 


US-CERT Date: 
CSO Date: 
OIG Date: 

CIO Date: 
ITSO Date: 


CCITS Date: 


PII Information 


SENSIFIMEBUTUNGLASSIFIED. 


Contact Phone: 
Coordinator: 


Est. Cost ($): 


Hostile 
Unknown?: 


Impact: 
Contact Email: 


Source of 
Report: 


Est. Cost 
(hours): 


Incident Zone: 


Discovered 
Zone: 


NASIRC Notified 
Zone: 


Closed Zone: 


ITSM Zone: 
US-CERT Zone: 
CSO Zone: 
OIG Zone: 

CIO Zone: 
ITSO Zone: 
CCITS Zone: 


Time Limit: 


Page 1 


JPL 


2400 


No 


High 


24 


EDT 


30 
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PII Involved?: No 


PII Disclosed By: 


PII Data Types: 


Scope of PII 
Exposure: 


Host Information 


NASA System Information 


os 


HW 


Manuf Manuf OS 
acture acture Versio Versio Functi Descripti Securit 


Name IP Address Admin r 





r 


n 


HW 


n 


Sun Solaris 
(Softw 2.6 
are) 
Redha Linux 
t Tx 
Redha Linux 
t Tx 
Redha Linux 
t 9.x 
Redha Linux 
t 9.x 

Hostile Site Information 

IP Address 

SENSITIVE BUT UNCLASSIFIED 


PII Report Date: 


PII Data Unknown 


Protection: 


Number of 
Unauthorized 
People with 
Access: 


PII Report Zone: 


Law No 
Enforcement/ 
IG Notified?: 


Sensitivit 
y 


on on yPlan CVE Port 
69 


132 


71 


132 


Works 132 
tation 


hostile_site_id 
41970 
41961 
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nt - 
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User 


Sen 
sitiv 
e 
Info 

system_id ? 

8363 

8364 

8365 

8366 

8098 
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Cat 
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ry 


BRT 


BRT 


BRT 


BRT 


BRT 
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Additional Information 





Notices 

ID Abbreviation noticeid Date 
A-04-179 NASIRC 3527 21-JUL-2004 
A-04-179-A NASIRC i 10-AUG-2004 
JPL ID 142 Center 3441 09-SEP-2004 
TIU-ID142-07-2004 Center er 21-JUL-2004 
Summary: 08/10/2004: Updated incident per weekly incident report from REINE) g 
Chronology: 


NASIRC Notes: 








nasa.gov; nasa.gov; nasirc@nasirc.hq.nasa.gov; security@telchar.jpl.nasa.gov 

ubject: IRC Ref: 1 ncident Initial Notification (ID_142) INITIAL INCIDENT NOTIFICATION 
Investigation Name: TIU-ID 142-07-2004 Incident Date:2004-07-20, 16:51 Investigator Nam e SE Notified 
By:RealSecure JPL Computer Information: HOSTNAME | IP ADDRESS | OS | FUNCTION | AT| 
EXPLOIT | SENS INFO | SENS INFO DESC 1. TIU (ze | RedHat Linux 9.x | workstation | UA | User 
Account | No | None Perpetrator Computer Information: | IP ADDRESS | CITY | STATE | COUNTRY 1. 
ADSL-66-72-48-169.DSL.CHMPIL.AMERITECH.NET | 66.72.48.169 | Urbana | IL | United States Sensitive 
Information Involved:No Description of Sensitive Information Involved:None Additional Information:None. NASIRC 
Action:None. kkkkkkkkkkkkkkkkkkkkkzjkkjbnikikikikkkkkkikkkk I Original Message GAME, From: C 
[mailto nasa.gov] Sent: Friday, August 06, 2004 7:05 PM To: nasirc@nasirc.hq.nasa.gov Cc: 
security@telchar.|pl.nasa.gov; jpl-ccd@imx.hq.nasa.gov; nasa.gov; 
nasa.gov Subject: (NASIRC Ref: eekly Incident Report for 


ul04_05Aug INFO Incident Name:TIU-1D142-07-2004 Discovery Date:20-JUL-04 Exploit 
Date:20-JUL-04 Labor Hours:n/a Labor Cost:n/a HOSTILE SYSTEMS Hostile 


Name .CHMPIL.AMERITECH.NET Hostile PRE) Hostile 
Name Hostile P TESTUE AFFECTED omain Name: nasa.gov 
IP Address ncident Category:Unauthorized Access Exploit Used:User Account System OS:Sun 
Solaris 2.6 (5. ersion:n/a System Security Plan:69 Domain Name: .nasa.gov IP 

Address Incident Category:System Compromise Exploit Used:User Account System OS:RedHat Linux 
7.x OS Version:n/a System Security Plan:132 Domain Name I nasa.gov IP Address SIA Incident 
Category:Unauthorized Access Exploit Used:User Account System OS:RedHat Linux 7.x OS Version:n/a System 
Security Plan:71 Domain Name .nasa.gov IP Address Incident Category:Unauthorized 
Access Exploit Used:User Account System OS:Sun Solaris 2.6 (5. ersion:n/a System Security Plan:132 


Domain balp. esa. go IP Address ie Incident Category:Unauthorized Access Exploit 
Used:User Account System OS:RedHat Linux 9.x ersion:n/a System Security Plan:132 


— Original Message----- From: nano [mailto nasa.gov] Sent: 
Wednesday, July 21, 2004 1:56 o: jpl-ccd@imx.hq.nasa.gov; nasa.gov; 




































































a nn Original Message----- rr: RN 
[mailto nasa.gov] Sent: Tuesday, September 21, 2004 6:3 o: nasirc@nasirc.hq.nasa.gov Cc: 
security@telchar.jpl.nasa.gov; jpl-ccd@imx.hq.nasa.gov; nasa.gov; 






nasa.gov; nasa.gov Subject: (NASIRC Ref: 107449773) 

ee y nci en epo or 13Sep04_ ep kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk CLOSED 
INCIDENTS: 2 kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk INCIDENT INFO Incident 
Name: TIU-ID142-07-2004 Discovery Date:20-JUL-04 Exploit Date:20-JUL-04 Labor Hours:24 Labor Cost:2400 
HOSTILE SYSTEMS Hostile Name Hostile IP 
Hostile Name Domain 
.nasa.gov ategory:Una uthorized Access Exploit Used:User 
ystem OS:Sun Solaris 2.6 (5. ersion:n/a System Security Plan:69 Domain 

SEEN as cc. IP Address NON Incident Categorv:Svstem Compromise Exploit Used:User 

Account Svstem OS:RedHat Linux 7.x ersion:n/a Svstem Securitv Plan:132 Domain Name: nasa.gov IP 
Address NAZ Incident Categorv: Unauthorized Access Exploit Used:User Account System OS:RedHat 
Linux 7.x ersion:n/a Svstem Securitv Plan:71 Domain kaila... 2:200 IP Acc En 
Incident Category:Unauthorized Access Exploit Used:User Account System OS:Sun Solaris 2.6 (5. ersion:n/a 
System Security Plan:132 Domain Name: 


BEE 122.001 IP Address ERIN Incident 
Category:Unauthorized Access Exploit Used:User Account System OS:RedHat Linux 9.x OS Version:n/a System 
Security Plan:132 
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200141421 
General Information 
Record Number: 200141421 Center: 
Title: Unauthorized Access of Four JPL Systems (JPL ID 146) 


Contact Name: (b) (6), (b) (7)(0) 


Contact Center: NASIRC 


Incident Unauthorized Access 
Categorv: 
Attacker: Stakkato 


Attacker Note: 


Incident Dates 
Incident Date: 8/28/2004 


Discovered 8/28/2004 


Date: 


NASIRC Notified 8/31/2004 


Date: 
Closed Date: 9/30/2004 


Dates For Other Notifications 
ITSM Date: 


US-CERT Date: 
CSO Date: 
OIG Date: 

CIO Date: 
ITSO Date: 


CCITS Date: 


PII Information 


SENSIFIMEBUTUNGLASSIFIED. 


Contact Phone: 
Coordinator: 


Est. Cost ($): 


Hostile 
Unknown?: 


Impact: 
Contact Email: 


Source of 
Report: 


Est. Cost 
(hours): 


Incident Zone: 


Discovered 
Zone: 


NASIRC Notified 
Zone: 


Closed Zone: 


ITSM Zone: 
US-CERT Zone: 
CSO Zone: 
OIG Zone: 

CIO Zone: 
ITSO Zone: 
CCITS Zone: 


Time Limit: 


Page 1 


JPL 


28400 


No 


High 


284 


EDT 


30 
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PII Involved?: No 


PII Disclosed By: 


PII Data Types: 


Scope of PII 
Exposure: 


Host Information 
NASA System Information 
os HW 


Manuf Manuf OS HW 
acture acture Versio Versio 








Name IP Address Admin r r n n 
Sun Solaris 
(Softw 8 
are) 
Sun Solaris 
(Softw 8 
are) 
Sun Solaris 
(Softw 7 
are) 
Redha Linux 
t 8.0 

Hostile Site Information 

IP Address 

Additional Information 

SENSITIVE BUTUNCLASSIFIEB 


PII Report Date: 


PII Data Unknown 
Protection: 
Number of 
Unauthorized 
People with 
Access: 
PII Report Zone: 
Law No 
Enforcement/ 
IG Notified?: 
Sen 
Sensitivit sitiv 
y e 
Functi Descripti Securit Org. Info 
on on yPlan CVE Port Code Exploit system_id ? 
Unkno Accou 8417 
wn nt- 
User 
Accou 8418 
nt- 
User 
482 Accou 8419 
nt- 
User 
85 Accou 8420 
nt- 
User 
hostile_site_id 
41998 
42000 
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A 
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N/ 
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Notices 


ID 
A-04-221 


JPL ID 146 


RM 4146-08-20 


Summary: 


Chronology: 


NASIRC Notes: 


Abbreviation noticeid Date 

NASIRC 3401 31-AUG-2004 
Center 3443 09-SEP-2004 
Center 3382 31-AUG-2004 





09/30/2004: Closed per REIN] weekly incident report. (Mii 


—— Original Message----- From: (b) (6), b) IC) rasa nce [mailto nasa.gov] Sent: Tuesday, 
August 31, 2004 11:51 AM To: jpl-ccd(ġimx.hq.nasa.gov; .QOV; 


nasa.gov; nasirc@nasirc.hq.nasa.gov; security@telchar.jpl.nasa.gov Subject: SIRC Ref: 
ncident Initial Notification (ID_146) INITIAL INCIDENT NOTIFICATION Investigation 
Name JI oden Date:2004-08-28, 05:51 Investigator Name: Notified 

By:SN omputer Information: HOSTNAME | IP ADDRESS | OS | FUNCTION CAT | EXPLOIT | 
SENS INFO | SENS INFO DESC 1. | RedHat Linux 9.x | Desktop workstation | SC | Local 
Root Exploit | No | None 2. un Solaris 8 (2.8) | desktop workstation | UA | User Account 
| No | None 3. olaris 8 (2.8) | NFS server | UA | User Account | No | None 4. 

un Solaris 7 (2.7) | web server | UA | User Account | No | None 5. | 

at Linux 8.x | desktop workstation | UA | User Account | No | None 6. | | 


inux 9.x | desktop workstation | SC | Local Root Exploit | No | None Perpetrator Computer Information: 


edHa 
HOSTNAME | IP ADDRESS | CITY | STATE | COUNTRY 1. | | Lausanne | n/a | 
Switzerland 2. OO ee] | oulder nited States Sensitive 
Information Involved:No Description of Sensitive Information Involved:None Additional Information:None. NASIRC 


Action:None. kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk I Original Message sen From: 




























































[mailto o: nasirc@nasirc.hq.nasa.gov 


IM 2.90 Sent: Wednesdav, September 29, 2004 6:18 

Cc: security@telchar.jpl.nasa.gov; jpl-ccd@imx.hq.nasa.gov; nasa.gov; 

IG ees gv; nasa.gov Subject: RC Ref: 107452372) 
ee y nci en epo or 28Sep04 ep kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk CLOSED 


INCIDENTS: 2 kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk INCIDENT INFO Incident 
Name S > 16-08-2004 Discovery Date:28-AUG-04 Exploit Date:28-AUG-04 Labor Hours:284 Labor 
Cost:2 LE SYSTEMS Hostile Name Hostile eee) Hostile 

Name ostile AFF MS Domain 

Name nasa.gov ress Incident Category:System Compromise Exploit Used:Local 
Root Exploit System OS:RedHat Linux 9.x ersion:n/a System Security Plan:n/a Domain 

Name nasa.gov IP Address SE Incident Category:Unauthorized Access Exploit Used:User 
Account System OS:Sun Solaris 8 (2.8) OS Version:n/a System Security Plan:n/a Domain 


Name nasa.gov IP Address EE Incident Category:Unauthorized Access Exploit Used:User 
Account System OS:Sun Solaris 8 (2.8) OS Version:n/a System Security Plan:n/a Domain 


Name nasa.gov IP Addres gee Incident Category:Unauthorized Access Exploit 
Used:User Account System OS:Sun Solaris 7 (2. ersion:n/a System Security Plan:482 Domain 
elk... "22.0. IP Address A Incident Category:Unauthorized Access Exploit Used:User 
Account System OS:RedHat Linux 8.x OS Version:n/a System Security Plan:85 Domain Name: nasa.gov 
IP Address EA Incident Category:System Compromise Exploit Used:Local Root Exploit System OS:RedHat 
Linux 9.x OS Version:n/a System Security Plan:n/a 
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200141422 
General Information 
Record Number: 200141422 Center: 
Title: System Compromise of Two JPL Systems (JPL ID 146) 


Contact Name: (b) (6), (b) (7)(0) 


Contact Center: NASIRC 


Incident System Compromise 
Category: 
Attacker: Stakkato 


Attacker Note: 


Incident Dates 
Incident Date: 8/28/2004 


Discovered 8/28/2004 


Date: 


NASIRC Notified 8/31/2004 


Date: 
Closed Date: 9/30/2004 


Dates For Other Notifications 
ITSM Date: 


US-CERT Date: 
CSO Date: 
OIG Date: 

CIO Date: 
ITSO Date: 


CCITS Date: 


PII Information 


SENSIFIMEBUTUNGLASSIFIED. 


Contact Phone: 
Coordinator: 


Est. Cost ($): 


Hostile 
Unknown?: 


Impact: 
Contact Email: 


Source of 
Report: 


Est. Cost 
(hours): 


Incident Zone: 


Discovered 
Zone: 


NASIRC Notified 
Zone: 


Closed Zone: 


ITSM Zone: 
US-CERT Zone: 
CSO Zone: 
OIG Zone: 

CIO Zone: 
ITSO Zone: 
CCITS Zone: 


Time Limit: 


Page 1 


JPL 


28400 


No 


High 


284 


EDT 


30 
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PII Involved?: No PII Report Date: 
PII Disclosed By: PII Data Unknown 
Protection: 


PII Data Types: 


Scope of PII Number of 

Exposure: Unauthorized 
People with 
Access: 


PII Report Zone: 





Law No 
Enforcement/ 
IG Notified?: 
Host Information 
NASA System Information 
Info 
Sen rma 
os HW Sensitivit sitiv tion 
Manuf Manuf OS HW y e Cat Cat 
acture acture Versio Versio Functi Descripti Securit Org. Info ego ego 
Name IP Address Admin r r n n on on yPlan CVE Port Code Exploit system_id ? ry ry 
Redha Linux Works Local 8416 N/ 
t 9.x tation Root A 
Exploit 
Redha Linux Local 8421 N/ 
t 9.x Root A 
Exploit 
Hostile Site Information 
IP Address hostile_site_id 
OERE 42001 
(©) (©), (6) (ME) 42002 
Additional Information 
Notices 
ID Abbreviation noticeid Date 
A-04-222 NASIRC 3400 31-AUG-2004 
JPL ID 146 Center 3444 09-SEP-2004 
UN ia 46-08-20 Center 3381 31-AUG-2004 
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Summary: 


Chronology: 


NASIRC Notes: 


09/30/2004: Closed per weekly incident report from UN] @ JPL. MIR 


-----Original Message----- From: DO MIC [mailto nasa.gov] Sent: Tuesday, 
August 31, 2004 11:51 AM To: jpl-ccd(ġimx.hq.nasa.gov; | nasa.gov; 
nasa.gov; nasirc@nasirc.hq.nasa.gov; security@telchar.jpl.nasa.gov Subject: SIRC Ref: 
ncident Initial Notification (ID_146) INITIAL INCIDENT NOTIFICATION Investigation 
Nena Incident Date:2004-08-28, 05:51 Investigator PAR 1 aan Notified 
By:SN omputer Information: HOSTNAME | IP ADDRESS | OS | FUNCTION CAT | EXPLOIT | 
SENS INFO | SENS INFO DESC 1. | RedHat Linux 9.x | Desktop workstation | SC | Local 
Root Exploit | No | None 2. un Solaris 8 (2.8) | desktop workstation | UA | User Account 
| No | None 3. un Solaris 8 (2.8) | NFS server | UA | User Account | No | None 4. 
un Solaris 7 (2.7) | web server | UA | User Account | No | None 5. | 
inux 8.x | desktop workstation | UA | User Account | No | None 6. jere enoe | 
edHat Linux 9.x | desktop workstation | SC | Local Root Exploit | No | None Perpetrator Computer Information: 


HOSTNAME | IP ADDRESS | CITY | STATE | COUNTRY 1. | | Lausanne | n/a | 
Switzerland 2. | oulder nited States Sensitive 


Information Involved:No Description of Sensitive Information Involved:None Additional Information:None. NASIRC 
Action:None. kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk l Original Message ae From: 
o: nasirc@nasirc.hq.nasa.gov 


Baia... "=> cc Sent: Wednesday, September 29, 2004 6: 

Cc: security@telchar.jpl.nasa.gov; jpl-ccd@imx.hq.nasa.gov; nasa.gov; 

nasa.gov; nasa.gov Subject: RC Ref: 107452372) 
ee y nci en epo or 28Sep04_ ep kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk CLOSED 


INCIDENTS: 2 kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk INCIDENT INFO Incident 
Nance Discovery Date:28-AUG-04 Exploit Date:28-AUG-04 Labor Hours:284 Labor 
Cost:2 Hostile Name:LANOSLNX.EPFL.CH Hostile IP:128.178.34.19 Hostile 


Name Hostile PORN AFFECTED SYSTEMS Domain 
Name jpl.nasa.gov ress Incident Category:System Compromise Exploit Used:Local 
Root Exploit System OS:RedHat Linux 9.x ersion:n/a System Security Plan:n/a Domain 


Name nasa.gov IP Address ERA Incident Category:Unauthorized Access Exploit Used:User 
Account System OS:Sun Solaris 8 (2.8) OS Version:n/a System Security Plan:n/a Domain 

Name nasa.gov IP Make... Incident Category:Unauthorized Access Exploit Used:User 
Account System OS:Sun Solaris 8 (2.8) OS Version:n/a System Security Plan:n/a Domain 

Name nasa.gov IP Address:137.78.218.98 Incident Category:Unauthorized Access Exploit 
Used:User Account System OS:Sun Solaris 7 (2.7) OS Version:n/a System Security Plan:482 Domain 

Name "22.0. IP Address Incident Category:Unauthorized Access Exploit Used:User 
Account System OS:RedHat Linux 8.x OS Version:n/a System Security Plan:85 Domain Name: nasa.gov 


IP Address ERA Incident Categorv:Svstem Compromise Exploit Used:Local Root Exploit Svstem OS:RedHat 
Linux 9.x OS Version:n/a Svstem Securitv Plan:n/a 
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General Information 


Record Number: 200141479 


Title: helios, orac, frigg and platte (JPL ID 154) 


Contact Name: (b) (6) | 


Contact Center: NASIRC 


Incident Unauthorized Access 
Category: 
Attacker: Stakkato 


Attacker Note: 


Incident Dates 


Incident Date: 10/22/2004 


Discovered 10/22/2004 
Date: 


NASIRC Notified 10/23/2004 
Date: 


Closed Date: 12/2/2004 


Dates For Other Notifications 
ITSM Date: 10/25/2004 


US-CERT Date: 
CSO Date: 
OIG Date: 

CIO Date: 
ITSO Date: 


CCITS Date: 


PII Information 


SENSITIVE BUT UNCLASSIFIED 


Page 1 





Center: JPL 


Contact Phone: 


Coordinator: (b) (6) | 


Est. Cost ($): 4000 


Hostile No 
Unknown?: 
Impact: Medium 


Contact Email: To nasa.gov 
Source of W JIUC-——RealSecure 


Report: 


Est. Cost 40 
(hours): 


Incident Zone: 


Discovered 
Zone: 


NASIRC Notified EDT 
Zone: 


Closed Zone: 


ITSM Zone: 
US-CERT Zone: 
CSO Zone: 
OIG Zone: 

CIO Zone: 
ITSO Zone: 
CCITS Zone: 


Time Limit: 30 
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PII Involved?: No PII Report Date: 
PII Disclosed By: PII Data Unknown 
Protection: 


PII Data Types: 


Scope of PII Number of 

Exposure: Unauthorized 
People with 
Access: 


PII Report Zone: 


Law No 
Enforcement/ 
IG Notified?: 
Host Information 
NASA Svstem Information 
Info 
Sen rma 
os HW Sensitivit sitiv tion 
Manuf Manuf OS HW y e Cat Cat 
acture acture Versio Versio Functi Descripti Securit Org. Info ego ego 
Name IP Address Admin r r n n on on yPlan CVE Port Code Exploit system_id ? ry ry 
Sun Solaris 132 Root 3625 SER 
(Hard 9 Accou CAT 
ware) nt 1 
Crack 
ed U 
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Page 3 


245 


Root 
Accou 
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SENSITIVE BUTUNCLASSIFIED. Page 4 


132 
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Hostile Site Information 


IP Address hostile_site_id 


(e) ©). (b) (IE) 42047 


Additional Information 


Notices 

ID Abbreviation noticeid Date 

PLATTE-ID154-10-2004 Center 3483 27-OCT-2004 

Summary: 10/27/2004: Received a JPL Incident Initial Notification. au Alert issued. EE 11/19/2004: NASIRC received 


updated information regarding this incident. Updates were made. @ 
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Chronology: 












— Original Message----- From: Lann nea o [mailto nasa.gov] Sent: Wednesday, 
October 27, 2004 1:37 PM To: jpl-ccd@imx.hq.nasa.gov; nasa.goV; nasa.gov; 
TR 252.00 nasirc@nasirc.hq.nasa.gov; security@telchar.jpl.nasa.gov Subject: (NASIRC Ref: 


ncident Initial Notification (ID_154) INITIAL INCIDENT NOTIFICATION Investigation 
Name:PLATTE-ID154-10-2004 Incident Date:2004-10-22, 12:00 Investigator Name: Notified 
By:RealSecure JPL Computer Information: HOSTNAME | IP ADDRESS | OS | FUN T CAT | 
EXPLOIT | SENS INFO | SENS INFO DESC 1. | | RedHat Linux 9.x | n/a | SC | Root account 
cracked | No | None 2. un Solaris 9 | n/a | SC | Root account cracked | No | None 3. ORAC 
IP a) | RedHat Linux 7.x | n/a Root account cracked | No | None 4. PLATTE (en | RedHat 

nterprise 3 | n/a | SC | User Account | No | None Perpetrator Computer Information: HOSTN RESS | 

CITY | STATE | COUNTRY 1. UNREGISTERED HER | London | n/a | United Kingdom Sensitive 
Information Involved:No Description of Sensitive Information Involved:None Additional Information: None. NASIRC 
Action:None. *******+ er o Original Message----- From: Sent: Monday, October 25, 2004 6:08 
AM To: DEREN: ES Subject: FW: (NASIRC Ref: 1 new info (fwd) Got some more info that 
you will probably want to look into. We are monitoring a web server that stakkato has some exploits, the suckit rootkit 
and his trojaned ssh client. The following was in the web logs when | checked ‚oc NN — 
[24/Oct/2004:10:27:48 -0400] "GET /openssh-3.7.1p2.tar.gz HTTP/1.0" 200 792723 [helios.jpl.nasa.gov 
- - (24/Oct/2004:10:48:52 -0400] "GET /openssh-3.7.1p2.tar.gz HTTP/1.0" 
orac.jpl.nasa.gov] The current password collector uses the DynDNS hostname stakkato.dyndns.ws and points to 
(aae105-dhcp-13.ecn.purdue.edu). You might want to see if you have any network flows to that host 
on po . We are working with Purdue to get more info from this machine, but it s taking a bit of time. Let me know if 
you need more info. Pi — Head of Securitv Operations and Incident Response National Center for 
Supercomputing Applications Voice : East Springfield Avenue Champaign, IL 61820 Cell : 
http://www.ncsa.uiuc.edu Date: Sat, 23 Oct 2004 01:55:02 -0500 From: 


o: nasirc@nasirc.hq.nasa.gov, asa.gov D Subject: (NASIRC Ref: 
) new info , et. al., Got some info earlier from a friend who has been watching some IRC channels for 


our friend and saw this pop up today: (15:38) [EFNet] -!- Irssi: stakkato l-I T n252 004) 

] has joined to EFNet (16:17) [EFNet] -!- Irssi: stakkato has left e : Net] -!- stakkato 

jpl.nasa.gov] (20:33) [EFNet] -!- was ‚Da ©) NC) (20:33) [EFNet] -!- server : irc.efnet.nl [Fri 

Oc | 04] (20:33) [EFNet] -!- End of WHOW, ooks like someone with the account 
BEER te in! nasa.gov got on EFNet with the nick of stakkato this afternoon. Not sure how they got this 
account, but it might be good to touch base sometime early next week and | can update you on the activity we have 
seen in the last few weeks (machines compromised, etc.). Head of Security Operations and 
Incident Response National Center for Supercomputing Applications Voice: East Springfield 


Avenue Champaign, IL 61820 Cell: http://www.ncsa.uiuc.edu ax : BES ------- End 
of Forwarded Message 









































































NASIRC Notes: 10/27/2004: aae105-dhcp-13.ecn.purdue.edu (GAME) was provided by LE UR 
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General Information 


Record Number: 200141486 Center: ARC 
Title: Compromised Account on Lomax(NAS) 


Contact Name: (b) (6), (b) (7)(C) Contact Phone: 
Contact Center: ARC Coordinator: (b) (6), (b) (7)(C) 


Incident Unauthorized Access Est. Cost ($): 1130450 

Categorv: 

Attacker: Stakkato Hostile No 
Unknown?: 


Attacker Note: 


Impact: High 
Contact Email: GROWS) nasa.gov 
Source of 
Report: 
Est. Cost 11304.5 
(hours): 
Incident Dates 
Incident Date: 10/22/2004 Incident Zone: PDT 
Discovered 10/23/2004 Discovered PDT 
Date: Zone: 
NASIRC Notified 10/25/2004 NASIRC Notified EDT 
Date: Zone: 
Closed Date: 10/19/2005 Closed Zone: EST 
Dates For Other Notifications 
ITSM Date: ITSM Zone: 
US-CERT Date: US-CERT Zone: 
CSO Date: CSO Zone: 
OIG Date: OIG Zone: 
CIO Date: CIO Zone: 
ITSO Date: ITSO Zone: 
CCITS Date: CCITS Zone: 
Time Limit: 360 


PII Information 
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PII Involved?: No PII Report Date: 
PII Disclosed By: PII Data Unknown 
Protection: 


PII Data Types: 


Scope of PII Number of 

Exposure: Unauthorized 
People with 
Access: 


PII Report Zone: 


Law No 
Enforcement/ 
IG Notified?: 
Host Information 
NASA Svstem Information 
Info 
Sen rma 
OS HW Sensitivit sitiv tion 
Manuf Manuf OS HW y e Cat Cat 
acture acture Versio Versio Functi Descripti Securit Org. Info ego ego 
Name IP Address Admin r r n n on on yPlan CVE Port Code Exploit system_id ? ry ry 
SGI SGI IRIX Unkno IN ACCOU 3639 Y SER 
wn nt - CAT 
User 1 
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Hostile Site Information 


IP Address hostile_site_id 


Nane 42820 


Additional Information 


Notices 

ID Abbreviation noticeid Date 

A-05-180 NASIRC 4597 20-OCT-2005 

Summary: 10/12/2005: 200141309 & 200141486 should have been combined. Please reference both. ***Begin ARC/NAS 
system to watch (Incident Record # 200141478)*** lomax.nas.nasa.gov ea) account: **End 
ARC*** 10/25/2004: Received a report of a 48 hour inbound & outbound block of lomax.nas.nasa.gov ) 
from Remedy. Email sent to 
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Chronology: 





Reply To: I rasa 9: To: Subject: Re: Recent incident From: Dave Tweten Date: Mon, 







25 Oct 20 :52 - Sender: nas.nasa.gov X-Junkmail-Status: score=15/60, 

host=arc-relay2.arc.nasa.gov X-Junkmail-Whitelist: YES (by domain whitelist at arc-relay2.arc.nasa.gov) Attachment 
converted: Macintosh HD:Re- Recent incident (MiME/CSOm) (0022094C) On Saturday afternoon, relayed a 
message from NISN, indicating that there was IRC traffic between lomax.nas.nasa.gov and Romania. came in 


and discovered a compromised user account, spahr. It is an account belonging to ES o GEJ 

said it had an IRC relav installed on Lomax, as the user. oa noticed evidence that other UCLA accounts may 

have been compromised too. We decided to disable all accounts coming to us from UCLA until we could sort things 

out promised to page me if anything more serious turned up, and promised to give me a full report when he 

comes in on Monday. | have not been paged. -- Office: , M/S: Phone M FAX: 1024-bit 
e foregoing is far too clearly stated to be an 


official NASA position. -----Original Message----- From: Mail, Remedy 
[mailto:Remedy.Mail@msfc.nasa.gov] Sent: Saturday, October 23, 2004 8:32 PM To: nasirc@nasirc.hq.nasa.gov 
Subject: (NASIRC Ref: 107455509) ITS Event ITS000000070168 UNITES ENMC Assignment ITS Event 
ITS000000070168 has been assigned to UNITES ENMC and is blocked 48 Hours. Type of Event: UNAUTHORIZED 
ACCESS kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk -----Original Message----- From: 
nasa.gov] Sent: Monday, October 25, 2004 11:10 AM To: 



































: Re: Update Importance: Hig responded N s notice, and found 
ser account was compromised on galled, IS The also found a binary 
downloaded on Lomax, Oct. 22, 2004 that was reported to consist of the following characters: PSFLYBNZ (reported 


by the IT Security person in charge of the NAS) ARC disabled allthe UCLA user accounts from the 
machine. At 11:37 AM -0400 10/25/04, EEE wrote: >Attachment converted: Intrigue:smime 106.p7m 
(MiME/CSOm) (000A96F0) > > >= = = = Security Information = = = = >Signed with SHA1-RSA >Encrypted with 
RC2-128 Compatible >Signed By: 1 >Certified By: cn-EntrustCA, o=National Aeronautics and Space 
>Administration, c=US > > >Hey Gang, > reported some more possible Supercomputing Activity at >JPL 
after seeing some IRC traffic. Coincidentally, also >blocked an NAS system around the same time because of 


questionable >IRC traffic to Romania. l m 99% sure the systems at JPL were hit by >you-know-who. NAS could be a 
coincidence. > >Here are the systems to watch out for: > >JPL (Incident Record # 200141479) >helios.jpl.nasa.gov 


) >orac.jpl.nasa.gov ) >platte.ipl.nasa.gov ) >account: 
, Phone , Org > >ARC/NAS (Incident Record # 
> >University of Purdue (Incident Record # 200141479) 


platte.jpl.nasa.gov, 

) >lomax.nas.nasa.gov 

>aae105-dhcp-13.ecn.purdue.edu messages are attached below. > > > >Carey >Begin 
Fwd Msg > > >-----Original Message----- >From: >Sent: Monday, October 25, 2004 6:08 AM >To: 

L Be >Subject: FW: (NASIRC Ref: ) new info (fwd) > >Got some more info that you wi 
probably want to look into. We are >monitoring >a web server that stakkato has some exploits, the suckit rootkit and 
>his trojaned ssh client. The following was in the web logs when | >checked today: > 

[24/Oct/2004:10:27:48 -0400] "GET >/openssh-3.7.1p2.tar.gz HTTP/1.0" 200 792723 >[helios.jpl.nasa.gov] 
EEEE - [24/Oct/2004:10:48:52 -0400] "GET >/openssh-3.7.1p2.tar.gz HTTP/1.0" 200 792723 
>[orac.jpl.nasa.gov] > >The current password collector uses the DynDNS hostname stakkato.dyndns.ws >and points 
to (aae105-dhcp-13.ecn.purdue.edu). You might >want to see if you have any network flows to that 
host on po . We are >working with Purdue to get more info from this machine, but it s taking a bit >of time. > >Let 
me know if you need more info. > >Head of Security Operations and Incident Response 
>National Center for Supercomputing Applications Voice : >605 East Springfield Avenue Champaign, 
IL 61820 Cell : >http://www.ncsa.uiuc.edu/-jbarlow Fax : >Date: Sat, 23 Oct 2004 
01:55:02 -0500 >From: >To: nasirc@nasirc.hq.nasa.gov, asa.gov >Cc: EREDI 
>Subject: (NASIRC Ref: 7) new info > et. al., > >Got some info earlier from a friend who has been 
watching some IRC >channels for our friend and saw this pop up today: > >(15:38) [EFNet] -!- Irssi: stakkato 


b. ess son 1 has joined to EFNet >(16:17) [EFNet] -!- Irssi: stakkato has left 
EFNet >(20: Net] -!- stakkato jpl.nasa.gov] >(20:33) [EFNet] -!- was CEC) 
>(20:33) [EFNet] -!- server : irc.efnet.nl [Fri Oc :16:38 2004] >(20:33) [EFNet] -!- End of > >Looks 


like someone with the account JR pi nass 00: got >on EFNet with the nick of stakkato this afternoon. 
Not sure how they >got this account, but it might be good to touch base sometime early next >week and l can update 
you on the activity we have seen in the last few >weeks (machines compromised, etc.). > >> "HE 
Barlow >Head of Security Operations and Incident Response >National Center for Supercomputing Applications 
Voice : >605 East Springfield Avenue Champaign, IL 61820 Cell BEE 

Sp wena: CE Fax : >> End of Forwarded Message >Content-Type: 
application/rtf > >Attachment converted: Intrigue: Untitled 95 (????/----) (00049755) — SS] Office phone 
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eee NASA Ames Research Center Cell: PRERE Center Information Technology Security Manager 
ome Cell: 


. Office of the Chief Information Officer MS 233-17 NASA ARC 
nasa.gov Moffett Field, CA 94035 ======================= 


e Subject: Re: Fwd: FW: (NASIRC 
ef: ncidents 200141486 and 200141309 From: BEINE Reply-To: T nasa so To: 

PEERS Organization: NASA Advanced Supercomputing Division Date: Wed, 19 Oct :39:10 -0700 
-Proofpoint-Spam-Reason: safe Operating System: SGI Irix Version Number: 6.5.23 Exploit Type: User account 


password compromise at UCLA Information Category: non-sensitive SER Date/Time of Discovery: 1641PDT Oct 23, 
2004 Date/Time of Exploit: 1521PDT Oct 22, 2004 Hostile Site: 
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NASIRC Notes: 10/12/2005: 200141309 & 200141486 should have been combined. Please reference both. 10/26/2004: | | 
entered 200141478 on 10/25/2004, ARC entered 200141486. copied information from 2 1478 summary and 
pasted into 200141486. 11/23/2004: approved an extension for this incident -----Original 
Message----- From: nasa.gov] Sent: Tuesday, November 23, 2004 


NN nasa.gov; M Subject: 
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200141493 





General Information 


Record Number: 200141493 


Title: Linux kernel Exploit of Three GSFC Systems 


Contact Name: (REIT) 


Contact Center: NASIRC 


Incident Unauthorized Access 
Category: 
Attacker: Stakkato 


Attacker Note: 


Incident Dates 


Incident Date: 11/6/2004 


Discovered 11/6/2004 
Date: 


NASIRC Notified 11/6/2004 
Date: 


Closed Date: 12/10/2004 


Dates For Other Notifications 
ITSM Date: 11/8/2004 


US-CERT Date: 
CSO Date: 
OIG Date: 

CIO Date: 
ITSO Date: 


CCITS Date: 


PII Information 


SENSIFIMEBUTUNGLASSIFIED. 


Center: GSFC 


Contact Phone: 


Coordinator: (b) (6), (b) (7(0) 


Est. Cost ($): 2600 


Hostile No 
Unknown?: 
Impact: Unknown 


Contact Email: PROG) asa.gov 


Report: 


Est. Cost 26 
(hours): 


Incident Zone: EST 


Discovered EST 
Zone: 


NASIRC Notified EDT 
Zone: 


Closed Zone: 


ITSM Zone: EST 
US-CERT Zone: 

CSO Zone: 

OIG Zone: 

CIO Zone: 

ITSO Zone: 

CCITS Zone: 


Time Limit: 30 
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PII Involved?: No PII Report Date: 
PII Disclosed By: PII Data Unknown 
Protection: 


PII Data Types: 


Scope of PII Number of 

Exposure: Unauthorized 
People with 
Access: 


PII Report Zone: 





Law No 
Enforcement/ 
IG Notified?: 
Host Information 
NASA Svstem Information 
os HW Sensitivit 
Manuf Manuf OS HW y 
acture acture Versio Versio Functi Descripti Securit 
Name IP Address Admin r r n n on on yPlan CVE Port 
Richar Linux Mandr Other Unkno Server 
d ake wn : 
Molle Applic 
ation 
SGI IRIX Works 
tation 
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Info 
Sen rma 
sitiv tion 
e Cat Cat 


Org. Info ego ego 
Code Exploit svstem id ? ry ry 
900.3 Linux 8713 SER CAT 
Kernel 6 
do_brk 
| 
n 
v 
e 
st 
ig 
a 
ti 
0 
n 
L 
913 8790 SER 
CAT 
1 
U 
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Hostile Site Information 


IP Address 


hostile_site_id 


42091 


Additional Information 


Notices 


ID 
107458683 


Summary: 





Abbreviation noticeid Date 


Mail Handler 3489 06-NOV-2004 


11/06/04: Renee sent an email on this Saturday to NASIRC notifying us that the password collector moved and 
that cerebus may be hacked. ci. 11/08/04: EEE found the email this morning (Monday) and fwd to group. BEM called 
ers 


and said this was compromised and that o ystems may also be affected. is looking into it and we can 
anticipate a report tomorrow. ci. 11/09/04: BEM added the traffic captured by and fwd to group. 
confirmed what i said yesterday, and we can still anticipate a report later today. ci. 12/10/2004: This system has 


returned to operation. Incident hours updated. 12/15/2004: Incident hours updated. 
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Chronology: 


NASIRC Notes: 


-----Original Message----- Sent: Monday, November 08, 2004 8:25 AM To: 
















ubject: update Importance: High 
* *#*** ENCRYPT PRIOR TO TRANSMISSION ***** Hi 
suspects cerebus.gsfc.nasa.gov has been hacked. He also reports the password collector has 
moved to pacbell.net. My queries on NCARS IDS data for a one month interval on both of these IP addresses yield a 
null result. (Incident 200141493 has been opened as an Unconfirmed Report for cerebus.) [RA ----- Original 
Message----- From: mailt ncsa.uiuc.edu] Sent: Saturday, November 06, 2004 11:52 PM To: 
nasirc@nasirc.hq.nasa.gov; asa.gov Cc: BES Subject: (NASIRC Ref: 107458683) another 
host Got another host to track down. Ihe tollowing was downloaded from the web server that we are monitoring: 
CEEE - - [06/Nov/2004:08:08:47 -0500] "GET /.mremap_pte HTTP/1.0" 200 467647 [cerebus.gsfc.nasa.gov] 
e above is a precompiled linux kernel exploit. Another thing to note is that the password collector moved this 


morning 10 ERANO (adsl-67-125-72-209.dsl.snfc21.pacbell.net). That s all | got for now. E - 
Head of Securitv Operations and Incident Response National Center for Supercomputing Applications Voice : 
G 605 East Springfield Avenue Champaign, IL 61820 Cell: 

ttp://www.ncsa.uiuc.edu Fax : **BEGIN NISN 7:08 CDT 11-06-2004 IP 


makes contact with via port 53 (DNS). Although there is no full packet capture, 
ensuing traffic does not resemble "norma raffic: * "normal" DNS traffic usually uses the UDP protocol, 
although it can use TCP. However, the DNS name of EE (ccs .dsl.snfc21.pacbell.net) 
indicates a DSL connection, which makes it unlikely to have a valid DNS server running. 07:08:25.691611 
> :S (0) win 5840 (DF) [tos 0x10] 07:08:27.057543 
: win 5792 (DF) [tos 0x10] 
os 0x10] 07:08:29.200389 
: 07:08:29.299075 
9 win 5792 (DF) [tos 0x10] 07:08:29.520690 (BI (6) (BY CE) | 
840 (DF) [tos 0x10] 07:08:29.620507 67.125.72.209.53 > 
k 17 win 5792 (DF) [tos 0x10] 07:08:29.620881 67.125.72.209.53 > 
: F 1:1(0) ack 17 win 5792 (DF) [tos 0x10] 07:08:29.621631 > 
:17(0) ack 2 win 5840 (DF) [tos 0x 10] 07:08:29.720823 > 
:.ack 18 win 5792 (DF) [tos 0x10] 07:08:36 CDT IP 128.183.107.95 connects to 66.92.150.48 
ick.myleft.net) via port 80, and begins transfer of data. Though we do not have any payload data, the timestamp and 
connection characteristics are consistent with the details of the compromise. 07:08:36.965855 128.183.107.95.48884 
S (0) win 5840 (DF) 07:08:37.146247 DE) DIE) 
(0) ack 1342853138 win 32120 :08:37.147121 
win 5840 ( DF) 07:08:37.147371 
F) 07:08:37.327513 > 
> 



































































> 66.92.150.48.80: . acı 

: P 1:111(110) ack 1 win 5840 (D 

DF) 07:08:37.425955 

(DF) 07:08:37.427086 
> 














> 66.92.150.48.80: . ac win 8688 (DF) 07:08:37.459808 
1449:2897(1448) ack 111 win 32120 (DF) 07:08:37.461058 
. ack 2897 win 11584 (DF)... 07:08:49.044617 I > 
: win 63712 (DF) 07:08:49.222013 66.92.150.48.80 > 
. ack 112 win 32120 (DF) 07:08:49.224133 F 

: ack 112 win 32120 (DF) 07:08:49.224759 . ack 467957 
win 63712 (DF) 07:13 CDT IP connects to ogin.hpcx.ac.uk) via pol (SSH), 
transfers some data, then connects to (soling.cs.vu.nl) via port 80. Because we have no full packet 
captures, any traffic listed by this point is debatable as to if it is "normal" or hostile traffic. No further outbound traffic is 
for the rest of the day. ***END NISN CAPTURE*** 














1:1 ac 










> 
> 


seen coming from 
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200141547 
General Information 
Record Number: 200141547 Center: JPL 
Title: Unauthorized Access of tcom-cm-out.jpl.nasa.gov (BNGĦEONMEJ) (ID160) 


Contact Name: (b) (6), (b) (7)(0) 


Contact Center: NASIRC 


Incident Unauthorized Access 
Categorv: 
Attacker: Stakkato 


Attacker Note: 


Incident Dates 


Incident Date: 2/22/2005 


Discovered 2/22/2005 
Date: 


NASIRC Notified 2/22/2005 
Date: 


Closed Date: 3/6/2005 


Dates For Other Notifications 


ITSM Date: 2/22/2005 


US-CERT Date: 2/22/2005 


CSO Date: 

OIG Date: 2/22/2005 
CIO Date: 

ITSO Date: 

CCITS Date: 2/22/2005 


PII Information 


SENSIFIMEBUTUNGLASSIFIED. 


Contact Phone: 


Coordinator: 


Est. Cost ($): 


Hostile 
Unknown?: 


Impact: 


Contact Email: 


Source of 
Report: 


Est. Cost 
(hours): 


Incident Zone: 


Discovered 
Zone: 


1400 
No 
High 


MES nasirc.nasa.gov 


14 


EST 


NASIRC Notified EST 


Zone: 


Closed Zone: 


ITSM Zone: 


US-CERT Zone: 


CSO Zone: 
OIG Zone: 
CIO Zone: 
ITSO Zone: 
CCITS Zone: 


Time Limit: 
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EST 


30 
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PII Involved?: No 


PII Disclosed By: 


PII Data Types: 


Scope of PII 
Exposure: 


Host Information 


NASA System Information 


os HW 
Manuf Manuf OS HW 
acture acture Versio Versio 
Name IP Address Admin r r n n 
68 Sun Solaris 
(Softw 8 
are) 





PII Report Date: 


PII Data Unknown 


Protection: 


Number of 
Unauthorized 
People with 
Access: 


PII Report Zone: 


Law No 
Enforcement/ 
IG Notified?: 


Sensitivit 
y 
Functi Descripti Securit 


on on yPlan CVE Port 
Server 


Harve 
st 
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Org. 
Code 





ego 
ry 


Info 
Sen rma 
sitiv tion 
e Cat Cat 
Info ego 
Exploit system_id ? ry 
Root 8936 SER 
Accou 
nt 
Crack 
ed 
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Hostile Site Information 


IP Address 


Additional Information 


Notices 


ID 
A-05-38 


A-05-38-A 
TCOM-CM-OUT-ID160 


hostile_site_id 


42188 


Abbreviation 


NASIRC 
NASIRC 


Center 
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3573 


3572 


3567 





Date 
22-FEB-2005 


07-MAR-2005 
22-FEB-2005 
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Summary: 


Chronology: 


NASIRC Notes: 









2/22: supplied NASA with some information via phone and email about a Stakkato incident. ‘called 
Beem JPL. They were aware of the activity and were already conducting analysis. ‘left 
voice mail for and Bes) apprising them of the situation. Called L © but did not leave 
a message because his greeting said he was out of the office. Then sent email to the group of old. 


certificate was expired so he was removed from the distribution. Called him instead and he was already up to 
speed. - ci. 

















----- Original Message----- From: .jpl.nasa.gov [mailto .jpl.nasa.gov] Sent: Tuesday, 
February 22, 2005 4:19 PM To: jpl-ccd@imx.hq.nasa.gov; Jpl.nasa.gov; SING asa. gov; 
jpl.nasa.gov; nasirc@nasirc.hq.nasa.gov; security@telchar.jpl.nasa.gov Subject: (NASIRC Ref: 

L Incident Initial Notification (ID_160) INITIAL INCIDENT NOTIFICATION Investigation 
Name:TCOM-CM-OUT-ID 160-02-2005 Incident Date:2005-02-22, 08:00 Investigator Name: Notified 
By:SNORT JPL Computer Information: HOSTNAME | IP ADDRESS | OS | FUNCTION | IN PLOIT | 
SENS INFO | SENS INFO DESC 1. BEREIT | Sun Solaris 8 (2.8) | Harvest Server | SC | 
Root account cracked | No | None Perpetrator Computer Information: HOSTNAME | IP ADDRESS | CITY | STATE | 
COUNTRY ‘eee | PEE Herndon | VA | United States Sensitive Information 
Involved:No Description of Sensitive Information Involved:None Additional Information:None. NASIRC Action:None. 
ee Original Message DIENS From: 

[mailto ncsa.uiuc.edu] Sent: Tuesday, February 22, 2005 1:24 PM To: nasirc@nasirc.hq.nasa.gov Cc: 
asa.gov; Bun Subject: (NASIRC Ref: 107485875) Recent activity Ok folks, here s the latest. 
Looks like stakkato and crew are back in action. They have been very quite the last few weeks and just recently we 
started seeing activity again. The stakkato.dyndns.ws address expired on 2/16, but they now have a new trojan. The 
current host associated with it is a registered domain for someone in Sweden. | am going to wait a bit before we give 
out the host name until we can find out more info on this person and domain in Sweden (I have already contacted the 
FBI about it). Here is what is more pertinent to you guys. The following was seen in the log files on the web server we 
are monitoring: Bee) - - [22/Feb/2005:11:14:17 -0500] "GET /openssh-3.7.1p2.tar.gz HTTP/1.0" 200 
793332 [tcom-cm-out.|jpl.nasa.gov] Can you let me know where they were coming from? | have heard other sites are 
seeing activity from again. Thanks. Head of Security Operations and Incident 


Response National Center for Supercomputing Applications Voice : 605 East Springfield Avenue 
Champaign, IL 61820 Cell : 


kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkjk 


















kkkkkkkkkkkkkkkkkkkkkkkkkkkkkx 


ENTS:1 
kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk INCIDENT INFO Incident Name:TCOM-CM-OUT-ID160-02-2005 
Discovery Date:22-FEB-05 Exploit Date:22-FEB-05 Labor Hours:14 Labor Cost:1400 HOSTILE SYSTEMS Hostile 
Name .NYC.RR.COM Hostile IP AFFECTED SYSTEMS Domain 

Name: -CM- jpl.nasa.gov IP Address: Incident Category:System Compromise Exploit 
Used:Root account cracked System OS:Sun Solaris B ersion:n/a Svstem Securitv Plan:168 


Lc A OJ K k kk kk k kk kkk k k k k k k kk kk k kk kk k kk kk k kk kkk k k kkk k kk kk kkk kk kk kkk k REVISED C LOSED 
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